Trust & Security

Privacy, Security & Compliance by Design

PHI never touches the exchange. That's not a feature — it's the architecture.

CORE PRINCIPLE

The most secure health data is the health data you never touch

HDX is designed so that protected health information never passes through our systems. We broker connections and settle transactions. Buyers connect directly to data providers for record access.

Zero-PHI Architecture Guarantees

  • Compliance scope limited to financial and identity data
  • Direct buyer-to-provider connections for all record access
  • HIPAA Covered Entity liability avoided by design
  • Eliminates the most common attack surface: the centralized data store

Vault-First Security

Every secret, every cryptographic operation, every database credential flows through HashiCorp Vault. There are zero secrets in environment variables, configuration files, or code.

  • Custom PersonaLink secrets engine for HMAC operations and Bloom filter comparison
  • Transit encryption for all sensitive data (AES-256-GCM)
  • Dynamic database credentials with automatic rotation (1-hour TTL)
  • OCI KMS auto-unseal with HSM-protected keys

Blockchain Audit Trail

Every access grant is written to Solana as an immutable record. The grant includes the settlement amount, a SHA-256 hash of the agreed terms, the access mode, and expiration.

This creates a tamper-proof audit trail that no party — including HDX — can alter after the fact. Providers verify grants by reading Solana state directly. No trust in HDX is required for grant verification.

A significant regulatory advantage in an industry under intense compliance scrutiny.

REGULATORY

Built for healthcare compliance

HIPAA-Aligned

Zero-PHI architecture minimizes Covered Entity exposure

FHIR R4 Compliant

Native interoperability standard for all record exchange

SOC 2 Roadmap

Pursuing Type II certification

Role-Based Access

Six roles with endpoint-level authorization

Audit Logging

Every API call, every secrets access, every grant issuance logged

On-Chain Audit Trail

Immutable transaction records on Solana blockchain

Trust by Design

HIPAA AlignedSOC 2 RoadmapVault-First SecurityZero-PHI ArchitectureOn-Chain Audit TrailFHIR R4 Compliant

Questions about our security architecture?

We're happy to discuss our security practices in detail with prospective partners and collaborators.

Get in Touch