Enterprise-Grade Security for Healthcare

TOM Compliance is built on HIPAA-compliant infrastructure with the safeguards ASCs and their patients expect.

HIPAA Compliant

TOM maintains a signed Business Associate Agreement (BAA) with every subscriber and with our infrastructure providers. All data handling follows HIPAA Privacy and Security Rule requirements.

  • BAA required for all customers
  • BAA with infrastructure provider (Supabase/AWS)
  • PHI handled with appropriate safeguards
  • Designated Privacy & Security Officer

Encryption & Data Protection

Your data is protected at every layer.

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Row-level security — facilities cannot access each other's data
  • No data stored on local devices

Access Controls

Role-based permissions ensure the right people see the right data.

  • Owner, Pharmacist, Nurse, and Admin roles
  • PIN-based access for facility staff
  • Brute-force rate limiting on authentication
  • Session management with automatic expiry

Audit & Compliance

Complete documentation for survey readiness.

  • Every action logged with user, timestamp, and details
  • 72-hour pharmacist verification workflow
  • 10-year data retention meeting DEA and state requirements
  • Compliance scoring across 7 categories
  • Downloadable compliance reports (PDF)

Infrastructure

Hosted on trusted, certified infrastructure.

  • Supabase (PostgreSQL on AWS) — SOC 2, ISO 27001
  • Vercel edge network — global CDN
  • 99.9% uptime target with continuous monitoring
  • Automated error detection and alerting
  • US-based data centers only

Security Practices

We follow modern security engineering practices.

  • Automated dependency vulnerability scanning
  • Security regression tests on every deployment
  • Content Security Policy (CSP) headers
  • Private source code repositories
  • No secrets in client-side code

Certifications & Roadmap

Building toward the highest standards.

HIPAA CompliantActive
Supabase HIPAA BAAActive
SOC 2 Type IPlanned 2027
SOC 2 Type IIPlanned 2027-2028
HITRUSTEvaluating

Sub-Processors

  • Supabase (database) — HIPAA BAA active
  • AWS (cloud infrastructure) — HIPAA eligible
  • Vercel (hosting)
  • Stripe (payments) — PCI DSS Level 1
  • Sentry (error monitoring)

Questions?

We're happy to discuss our security practices with your compliance team.

Contact Us Request BAA
HIPAA compliantSOC 2 infrastructureAES-256 encryptionImmutable audit trailMade in Austin, TX