HIPAA
Approva operates as a business associate under HIPAA. We handle PHI in accordance with the HIPAA Privacy Rule and Security Rule — covering administrative, physical, and technical safeguards. All staff with PHI access receive annual HIPAA training.
Business Associate Agreement
We sign a BAA with every customer before handling any PHI. Our standard agreement covers Approva's obligations as a business associate and outlines breach notification procedures. Review BAA terms →
SOC 2
Approva is pursuing SOC 2 Type II certification. Our controls cover availability, confidentiality, and processing integrity. SOC 2 status →
Data security
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to PHI is role-based and requires multi-factor authentication. Every access event is audit-logged and retained for a minimum of six years per HIPAA requirements.