Security

Our security posture

Last updated: April 26, 2026

Adherix processes patient behavioral data and SMS communications on behalf of healthcare clinics. The following describes how we protect that data across infrastructure, transmission, access, and operations.

Infrastructure

The Adherix platform is hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification. Our database, application layer, and communications infrastructure are each operated by providers that maintain independent third-party security audits and support HIPAA-eligible deployments. We select infrastructure partners on the basis of their compliance certifications, not cost alone.

All patient and clinic data is stored in the United States.

Encryption

  • In transit: All data between clients, the Adherix application, and our infrastructure is encrypted using TLS 1.2 or higher. This applies to browser sessions, API calls, database connections, and SMS delivery pipelines.
  • At rest: Patient and clinic data stored in our database is encrypted at rest using AES-256.
  • SMS content: Message content is transmitted over encrypted channels and stored in our encrypted database to support the behavioral engine and clinic reporting.

Access controls

  • Authentication: Clinic administrator accounts use email/password authentication with JWT-based session management. Sessions are scoped and expire on inactivity.
  • Multi-tenant isolation: All patient data is scoped to a clinic identifier enforced at the application layer. No clinic can access another clinic’s data. This isolation is structural, not policy-dependent.
  • Principle of least privilege: Service credentials are scoped to the minimum permissions required for each function. Internal API endpoints that process patient data require authenticated sessions.
  • Audit trail: All patient state changes, message events, and trigger firings are recorded in an append-only event log for each clinic.

HIPAA posture

Adherix is designed for HIPAA-aware deployments. Our infrastructure partners maintain HIPAA-eligible environments, and we apply the minimum necessary standard to all patient data we process — collecting only what is required to deliver phase-based behavioral outreach.

We require a signed Business Associate Agreement (BAA) with any Clinic Operator that is a HIPAA Covered Entity before processing Protected Health Information in a production environment. Pilot programs involving real patient data are subject to this requirement.

To request a BAA, contact hello@adherix.health.

Incident response

In the event of a confirmed breach affecting patient or clinic data, Adherix will notify affected Clinic Operators within 72 hours of discovery, consistent with HIPAA Breach Notification Rule requirements. Notifications will describe the nature of the incident, affected data categories, and remediation actions taken.

Vulnerability disclosure

If you discover a potential security issue in the Adherix platform, please report it to hello@adherix.health before public disclosure. We will acknowledge receipt within 48 hours and work to resolve confirmed issues promptly.

Questions

Security questions, BAA requests, or sub-processor inquiries: hello@adherix.health