← Back to home

Security

Effective date: June 10, 2026 · Last updated: June 10, 2026

Information and data security is paramount at Nūr Evoke. Your clients trust you to safeguard their protected health, medical, and personally identifiable information — and you rely on us to provide a safe, secure environment for it. The measures below outline how we earn that trust.

HIPAA-alignedEncrypted (KMS + TLS)MFA single sign-onRole-based accessAudit loggingHIPAA-eligible AWS

HIPAA

We handle Protected Health Information as a Business Associate under HIPAA, governed by signed Business Associate Agreements (BAAs) with the practices we serve and with our subprocessors. Safeguards are built into our product, policies, and procedures. See our HIPAA Notice for details.

Infrastructure security

  • Hosted only on HIPAA-eligible Amazon Web Services, within a private network (VPC with private subnets); the database is not publicly reachable.
  • Encryption at rest with AWS KMS-managed keys and TLS 1.2+ for all data in transit; the database enforces SSL.
  • Automated backups, deletion protection, and infrastructure managed as code (Terraform).
  • Continuous monitoring with CloudTrail, AWS Config, and GuardDuty.

Application security

  • Authentication via AWS Cognito with multi-factor authentication; no passwords are stored in our database.
  • Role-based access control with every query scoped to the user's organization, plus session timeouts.
  • Audit logging of access to and changes of PHI-bearing records.
  • Secrets held in AWS Secrets Manager; PHI kept out of application logs and URLs; least-privilege and privacy-by-design principles applied from the start.

Privacy

We apply the HIPAA "minimum necessary" principle, do not sell personal information or PHI, and do not use PHI for advertising. Address verification uses a U.S.-government geocoder rather than services excluded from our BAAs. See our Privacy Policy.

Certifications & assessments

Nūr Evoke is built on HIPAA-eligible Amazon Web Services, which maintain their own SOC 2 and ISO 27001 certifications, and we operate under signed Business Associate Agreements (BAAs) with AWS and Google Workspace. Nūr Evoke does not claim independent SOC 2, FERPA, or PCI certification for the application itself.

Reporting a vulnerability

If you believe you've found a security issue, please contact info@nurbhealth.com. We investigate all reports and will keep you informed.