Security

Serious about data. Honest about status.

Encryption everywhere, no PHI by design, auditable AI access, and a security posture we describe exactly as it is.

01

No PHI, by architecture

Oystercatcher is built on public provider data — NPI registry, CMS datasets, Open Payments, state medical boards. We never process patient data, so there is no PHI in the platform to protect, breach, or subpoena.

Public provider data only — never patient dataHIPAA not applicable; no BAA neededProviders can opt out — suppressed across every view and export
02

Encryption & infrastructure

Data is encrypted at rest with AES-256 using AWS KMS-managed keys, and in transit with TLS. The platform runs on AWS with tenant isolation enforced at the query layer for every organization.

AES-256 at rest · AWS KMS keysTLS for all data in transitPer-organization tenant isolationExport download links expire automatically
03

Access & authentication

Role-based access control with owner, admin, and member roles. Multi-factor authentication, with TOTP MFA enforced for administrative access. Enterprise plans add single sign-on across the major identity providers.

RBAC: owner · admin · memberMFA (TOTP) — enforced for admin accessSSO: Okta · Azure AD / Entra · Google Workspace · OneLogin · custom SAML 2.0Google and Microsoft sign-in on every plan
04

Auditability & AI governance

Every integration is OAuth — no shared credentials. Sync activity is logged. AI-assistant access over MCP is consented per user, governable org-wide by admins, and every call lands in the audit log.

OAuth for every integrationAudit logs retained for 2 yearsMCP: per-user consent, org policy switch, minimum-role control72-hour breach notification commitment (see DPA)
05

SOC 2: in progress, not claimed

We are building our control environment toward a future SOC 2 examination. We are not yet certified, and we will not imply otherwise — when the report exists, it will be here.

SOC 2 program underway — not yet certifiedControl environment documented in our legal & security pages
The full detail lives in our legal pages: Security · Data Processing Addendum · Subprocessors · Vulnerability Disclosure
Closing  ·  spend your time selling

Let the agents
do the research.
Your team does
what it does best.