Where Auravio stands today
Architected for HIPAA-aligned operational practices. The technical safeguards required by the HIPAA Security Rule — access control, audit controls, integrity controls, transmission security, are implemented. Administrative and physical safeguards are documented in the deployment guide.
BAA-ready for hospital deployment. Auravio is prepared to execute a Business Associate Agreement with a covered entity. The architecture cleanly separates patient data flow from administrative metadata, supporting the contractual requirements a BAA imposes.
Not yet HIPAA-certified. HIPAA does not have a single certification body in the way SOC 2 does, but formal third-party security audits, penetration testing, HITRUST assessment, or equivalent, have not yet been completed. These are part of the path to a real production hospital deployment that Auravio plans to embark on.
No SOC 2 report yet. SOC 2 Type 1 and Type 2 reports require sustained operational maturity that an early-stage product cannot honestly claim. SOC 2 work is on the path; it is not done.
Encryption at rest. Every patient-derived field, source transcripts, translations, summaries, structured extractions, is encrypted at the column level using authenticated encryption. The encryption key is held outside the database and rotated independently. Compromise of the database alone does not yield readable patient data.
Encryption in transit. All connections to Auravio, clinician to web app, web app to backend, backend to model providers, use TLS 1.3. Certificates are managed automatically and renewed continuously.
Authentication. Auravio uses OpenID Connect single sign-on. Today this means Google Workspace; SAML and hospital identity provider integration are part of the deployment-ready architecture.
Session security. Sessions are signed JWTs with an 8-hour lifetime, transmitted over secure cookies with strict cross-site protection. Session revocation is immediate on logout.
Role-based access. Clinician, admin, and read-only roles are enforced server-side. No client-controlled access logic. Privilege boundaries are tested with the deployed test suite.
Auravio maintains an append-only audit log of every meaningful event: session creation, audio submission, trust evaluations, summary generation, FHIR exports, deletions, and admin actions. The append-only property is enforced at the database level, not in application code. Even Auravio's own administrators cannot retroactively modify or delete audit entries.
The audit log is the basis for institutional accountability. A hospital deploying Auravio gets a verifiable trail of every clinical interaction the system was part of, including the trust signals surfaced and the recommendations issued.
Every session event is recorded
Data lifecycle
Retention is configurable per deployment. Defaults are conservative: session content retained 90 days unless explicitly preserved by the clinician; soft-deletion grace period of 30 days; audit log retained 7 years per HIPAA-aligned requirements.
Session-level deletion is supported and propagates through all derived data (transcripts, translations, summaries, FHIR drafts) while preserving audit trail entries that record the deletion event itself. Hard deletion runs on a scheduled retention cleanup job.