Our security posture
MomCradl is built on HIPAA-aligned infrastructure with signed Business Associate Agreements (BAAs) from our core vendors. We are transparent about what we have today and what is on our roadmap.
What we have in place today
Encryption in transit & at rest
TLS 1.2+ for all traffic. AES-256 encryption at rest for the database and backups.
Row-Level Security (RLS)
Every patient record is isolated at the database layer. Users can only read or write data they own.
Signed BAAs
Business Associate Agreements are in place with our infrastructure and AI gateway providers covering the handling of Protected Health Information.
Audit logging
Authentication events, data access, and administrative actions are logged for review.
Least-privilege access
Access to production data is restricted to a small set of engineers, requires MFA, and is reviewed regularly.
No third-party model training
Patient conversations are processed through our secure AI gateway and are not used to train third-party foundation models.
What we are honest about
MomCradl is not yet third-party audited against HIPAA, SOC 2, or HITRUST. HIPAA itself has no government certification — compliance is a self-attested program of controls, policies, and BAAs.
We describe ourselves as HIPAA-aligned, meaning we implement the Security Rule's administrative, physical, and technical safeguards and operate on infrastructure that is covered by a BAA. We do not currently claim to be "HIPAA certified" or "HIPAA audited."
On our roadmap
- •Formal HIPAA risk assessment and policy library through a compliance platform.
- •Third-party HIPAA attestation ahead of our first enterprise health-system contract.
- •SOC 2 Type I, followed by Type II, as we expand the provider portal.
- •Patient-facing data export and account deletion self-service.
Reporting a vulnerability
If you believe you have found a security issue, please email security@momcradl.com. We respond to all reports and will not pursue legal action against good-faith research.