Security you can verify, not just claim.
A plain-English description of how we protect your data, how we constrain the AI, and where we are on the certification roadmap.
Our security posture.
We treat customer data as if it were our own PHI. All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256. Access to production systems is least-privilege, MFA-enforced, and reviewed quarterly. Customer environments are isolated by tenant. We are hosted on HIPAA-eligible AWS services in the United States and we sign a Business Associate Agreement with every customer before any data flows.
Production access is audit-logged and reviewed weekly. Changes to production reach customers through a code-review-and-deploy pipeline only. There is no shared admin password.
AI safety guardrails.
The AI Security Analyst is grounded. It does not freely generate. Every recommendation is retrieved from a source we control: NIST 800-66 Rev. 2, CISA’s Known Exploited Vulnerabilities catalog, vendor advisories, and our internal validated playbook library. Every output carries a confidence score and a citation back to the source.
No destructive action runs without human confirmation. When a finding touches a medical device, an EHR, or a production system, the analyst flags it for review rather than recommending an automatic fix. Every AI-assisted action is written to an audit log your IT team can export.
Compliance roadmap.
We tell you what we have and what we don’t. We will update this page the day a status changes.
PHI handling.
We collect the minimum data required to assess your security posture: device inventory, configuration metadata, vulnerability scan results, and the user accounts authorized on those systems. We do not collect patient records, imaging, or claims data. We do not need it and we do not want it.
Scan data is retained for 24 months by default to support audit lookback. Customers can extend or shorten retention through the admin console. On contract termination, we return or destroy customer data within 30 days and provide a written certificate of destruction.
Responsible disclosure.
If you believe you have found a security vulnerability in our product, email security@guidancecybersolutions.com. We acknowledge every report within 48 hours, work with the reporter on a remediation timeline, and credit researchers who follow coordinated disclosure.
PGP key on request. We do not currently run a paid bug bounty.