Skip to content
XpioHealth

Services

Trust & Security

How we protect your data, and prove it. SOC 2 Type II in progress. HIPAA compliant. NIST 800-53 aligned. NIST AI RMF aligned. Penetration tested. Independently verified.

Compliance & Certifications

Our security posture, by the numbers.

We operate with the same standards we hold our clients to. Every framework. Every engagement.

In Progress

SOC 2 Type II

Independent audit of security controls across availability, confidentiality, and processing integrity.

Compliant

HIPAA

Full administrative, technical, and physical safeguard implementation. BAA available for all client engagements.

Aligned

NIST 800-53

Security controls mapped to NIST 800-53 Rev. 5 framework. Federal-grade security posture.

Aligned

NIST AI RMF

AI risk management aligned to NIST AI RMF 1.0. Governance, transparency, and accountability for all AI-powered services.

Compliant

WCAG 2.1 AA

Full keyboard navigation, screen reader support, 4.5:1 contrast ratios, 44px touch targets.

Trust Center

Verify our security posture. On demand.

Our Vanta-powered Trust Center gives you real-time visibility into our compliance status, security controls, and documentation. Request access to review our SOC 2 report, HIPAA documentation, penetration test results, and security policies.

Available in the Trust Center

  • SOC 2 Type II Report
  • HIPAA Compliance Documentation
  • Security Policies & Procedures
  • Penetration Test Results
  • Business Associate Agreement (BAA)
  • Certificate of Insurance
Access Trust Center

Some documents require NDA. Access requests are typically approved within one business day.

Proven Results

Security in practice, not just policy.

Incident response, compliance intelligence, and legacy migration, see how we deliver.

View our case studies →

How We Operate

Security by default.

Data Encryption

TLS 1.3 in transit, AES-256 at rest. All client data encrypted end-to-end.

Access Control

Role-based access, least privilege, MFA required. Immutable audit logs.

Business Associate Agreements

BAA executed for every client engagement. No exceptions.

Xpio Delphi Cyber Pro

Our proprietary compliance framework for healthcare organizations. Structured, documented, auditable.

Vendor Security

All third-party vendors assessed. AI models under enterprise BAA (Anthropic Claude via AWS Bedrock). Zero data retention on healthcare queries.

Incident Response

Documented incident response plan. Regular tabletop exercises. 24-hour breach notification commitment.

Accessibility

Accessible by Design

Our website meets WCAG 2.1 Level AA standards, the same standard required of state and public entities under the ADA. Full keyboard navigation, screen reader support, and tested across assistive technologies. Because if we're building technology for healthcare, everyone needs to be able to use it.

  • Full keyboard navigation, every interactive element reachable without a mouse
  • Screen reader support, semantic HTML, ARIA labels, and live regions
  • Motion sensitivity, all animations respect prefers-reduced-motion
  • Color contrast, 4.5:1 minimum ratio across all text
  • Touch targets, minimum 44×44px for all interactive elements

Security you can verify.

Access our Trust Center, review our compliance documentation, or talk to our security team directly.

Get in Touch