Security and Compliance

Apothecare is designed to support organizations operating in regulated healthcare environments. Where applicable, we align our security and privacy practices with the U.S. Health Insurance Portability and Accountability Act, including the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. These rules govern the use, disclosure, safeguarding, and breach response obligations related to protected health information.

For customers that qualify as HIPAA covered entities or business associates, Apothecare may support the handling of protected health information subject to an executed Business Associate Agreement and appropriate implementation controls. Any HIPAA-related commitments apply only to the services, configurations, and workflows covered by the applicable agreement.

In addition to HIPAA, certain digital health products may also be subject to the FTC Health Breach Notification Rule, which can apply to health apps, connected devices, and similar technologies that are not covered by HIPAA.

Apothecare uses reputable cloud and infrastructure providers selected for their security, scalability, and operational resilience. We implement access restrictions, environment segregation, logging, and monitoring designed to reduce risk and support secure operations.

Core infrastructure protections include:

• Hardened cloud configurations with environment segregation
• Role-based access controls with row-level security on all database tables
• TLS 1.3 encryption in transit with HSTS enforcement
• AES-256 encryption at rest for database and file storage
• Centralized audit logging with IP address and user-agent tracking on every data access
• Automated daily backups with point-in-time recovery
• Vulnerability scanning and dependency patch management

Where third-party infrastructure providers are used, their security responsibilities are paired with Apothecare's own application, access, and operational controls under a shared responsibility model.

As a clinical AI platform, Apothecare takes special care with how patient data is processed by AI providers. Our AI architecture is designed with the following safeguards:

• AI providers are selected based on their data handling practices and willingness to execute Business Associate Agreements
• Our primary AI provider operates under a zero data retention policy — patient data sent via the API is never stored, logged, or used for model training
• Clinical data is transmitted to AI providers only during active processing and is not persisted on provider infrastructure
• AI-generated clinical content includes disclaimers and is always subject to practitioner review before clinical use
• Prompt injection detection validates all user inputs before they reach AI providers

Apothecare is designed for dependable performance and ongoing service availability. We monitor production systems, investigate incidents, and maintain response procedures intended to support continuity of service. While no service can guarantee uninterrupted operation, we work to reduce downtime risk and restore service promptly when issues arise.

Customer Data

Apothecare stores and processes customer data in accordance with our contractual commitments, internal policies, and applicable law. Access to data is limited to authorized personnel with a legitimate business need, subject to role-based permissions and internal controls.

Protected Health Information

If a customer elects to use Apothecare in workflows involving protected health information, we apply safeguards intended to support the confidentiality, integrity, and availability of that information. HIPAA-related use cases require appropriate contractual and technical implementation, including a Business Associate Agreement where applicable.

Encryption

All data transmitted to and from Apothecare is protected using TLS 1.3 with HTTP Strict Transport Security (HSTS) enforcement. Stored data is encrypted at rest using AES-256 encryption via our database and storage providers. These measures are intended to reduce the risk of unauthorized access to sensitive information during transmission and storage.

Audit Logging

Every access to protected health information is recorded in an immutable audit log capturing the practitioner, action performed, resource accessed, IP address, user agent, and timestamp. Export events include unique session identifiers and document watermarks to support breach investigation and traceability. Audit logs are retained for a minimum of six years to support long-term traceability and align with common healthcare retention norms.

Security is incorporated into the software development lifecycle. Our security practices include:

• Code review and change controls on all production deployments
• Dependency scanning and secret detection in the development pipeline
• Input validation with schema enforcement on all API endpoints
• Content Security Policy headers and XSS protection on all responses
• CSRF origin validation on all mutating endpoints
• Environment-specific testing before release
• Access logging and anomaly monitoring
• Periodic security reviews of architecture and controls

We assess and prioritize remediation of identified vulnerabilities based on severity, exploitability, and potential impact.

Apothecare maintains internal security and operational policies covering:

• Access management
• Asset and device management
• Data protection and retention
• Incident response
• Vendor and subprocessor oversight
• Risk assessment
• Secure development practices
• Vulnerability management
• Workforce training and awareness

These policies are reviewed periodically and updated as needed to reflect platform changes, business needs, and legal developments.

Apothecare maintains procedures for identifying, investigating, containing, and remediating security incidents. When required by applicable law or contract, we provide notice of qualifying incidents or breaches within the timelines required under HIPAA, the FTC Health Breach Notification Rule, and other applicable obligations.

Apothecare performs internal and external assessments of its security controls, which can include vulnerability assessments, control testing, and penetration testing. Where Apothecare states that it has achieved a certification or completed an independent audit, that statement applies only if expressly identified on this page or in customer documentation.

Apothecare is actively working toward SOC 2 Type II certification for the Security trust services criteria. This page will be updated when independent assessments are completed.

We take reports of security issues seriously and investigate credible submissions in a timely manner.

To report a suspected vulnerability, please contact: contact@apothecare.ai

Please include:

• A clear description of the issue
• Affected URL, feature, or environment
• Reproduction steps
• Proof of concept, if available
• Your contact information for follow-up

We ask researchers to act in good faith, avoid privacy violations or service disruption, and allow us reasonable time to investigate and remediate before public disclosure.