Security & compliance

Built secure from day one.

Ayra is HIPAA-compliant, SOC 2 in progress, BAA-available, and built to anchor consent proofs to public DLT receipts without writing PHI to ledger. Below is the full posture — written for security reviewers, not marketing.

HIPAA compliant SOC 2 Type I in progress BAA available Encrypted at rest & in transit

Compliance posture.

HIPAA

BAA-backed by default.

Every covered entity using Ayra signs a Business Associate Agreement. All PHI is treated as covered under HIPAA Security and Privacy Rules.

SOC 2

Type I in progress.

Vanta-automated evidence collection running daily. Type I attestation expected Q3 2026, Type II to follow.

Other

GDPR & CCPA.

Data subject access, portability, and deletion supported. Privacy-by-design controls documented in our privacy policy.

Data protection.

PHI never leaves your covered environment. Hashes and metadata flow through Ayra's infrastructure — but the data itself stays where you control it.

Encryption

  • AES-256-GCM encryption at rest for all PHI stores
  • TLS 1.3 in transit, mTLS for service-to-service
  • Per-customer key isolation via AWS KMS
  • Hardware security modules for signing operations

Access control

  • Role-based access (RBAC) on every endpoint
  • Required MFA for all admin and clinician accounts
  • Session timeouts: 60 minutes idle, 12 hours absolute
  • Break-glass procedures audited and time-bound

Network

  • Private VPC with no public-facing PHI services
  • WAF on every public endpoint
  • Rate limiting and DDoS protection at the edge
  • IP allowlist available for enterprise customers

Monitoring

  • Every authenticated action recorded in audit log
  • Real-time alerting on anomalous patterns
  • 24/7 on-call rotation for production incidents
  • Daily backup verification with 30-day retention

SmartConsent™ receipt proof.

Every consent grant is anchored as a cryptographic hash in the receipt environment. The hash contains no PHI, only a tamper-evident proof. Ayra Verifier recomputes proof bundles without relying on Ayra's mutable application database.

Reviewable through the receipt layer.

Our SmartConsent registry is deployed in the validation environment. Authorized reviewers can confirm a consent grant or revocation by checking the public DLT receipt and recomputing the proof path through Ayra Verifier.

Contract 0x9d7e127A4fb606C1d92c9C29Bb04f1fF9319Cff6
Deploy tx 0xeba21d7cd056108467ef4c22ee72be0e0c732c5ad058e5fc412ee6e9524723ce
Network Receipt environment → production receipt environment on payer pilot launch
View receipt →

Incident response.

If a security incident occurs that may affect customer data, we follow a documented response plan: contain within 1 hour, notify customers within 24 hours, regulators within 72 (per HIPAA Breach Notification Rule), and provide a written post-mortem within 7 days.

What's covered

  • Unauthorized PHI access or disclosure
  • Account compromise (clinician, admin, payer)
  • Service availability impact > 1 hour
  • Vendor-side incident affecting Ayra customers

How to report

  • Email: security@ayrahealth.com
  • Encrypted: PGP key on request
  • Phone: published in the customer portal
  • Acknowledgement within 4 hours, 24/7

Responsible disclosure.

Found a vulnerability?

We welcome reports from security researchers. We commit to a 90-day disclosure window, will not pursue legal action for good-faith research, and acknowledge contributors publicly (with permission).

Report to security@ayrahealth.com. We'll respond within 4 hours and provide regular status updates. Critical issues are eligible for a thank-you bounty up to $5,000 depending on severity and impact.