Aequitas processes sensitive medical and legal records on behalf of physicians, law firms, and carriers. Security is foundational to the platform, not an afterthought. This page summarizes our controls; our security team is happy to review them in detail with yours.
Certifications & compliance
- SOC 2 Type II — Aequitas' parent company, TRIJ Ventures, Inc. d/b/a Kronos Health, maintains a SOC 2 Type II report covering the Aequitas platform. The report is available under NDA on request.
- HIPAA — the platform is built to align with HIPAA obligations, and we sign a Business Associate Agreement (BAA) with covered entities and their business associates.
Data protection
- Encryption in transit — all traffic is served over TLS.
- Encryption at rest — PHI, including uploaded records and generated reports, is encrypted at rest using managed KMS keys. Case data is never left in the clear.
- Isolation — each practice's data is logically isolated (multi-tenant with per-tenant scoping); one practice cannot access another's cases.
Access controls
- Least privilege — accounts and services run with the minimum access required; no standing access to data a role doesn't need.
- Per-case permissioning — counsel and staff are granted access to specific cases and files only — scoped, reviewable, and revocable at any time.
- Authentication — role-based access with token-revocation controls; optional two-step verification.
Auditability
Access, edits, permission grants, and signatures are written to an immutable, append-only audit log that supports defensibility and review. Audit records are retained to preserve the integrity of the record.
Infrastructure & subprocessors
Aequitas runs on Amazon Web Services (AWS). PHI is processed by AWS services (including compute, storage with SSE-KMS, document text extraction, and AI inference) under a signed Business Associate Agreement with AWS. We use subprocessors only as needed to operate the Service and only under appropriate agreements; we do not sell personal information or PHI, and we do not use PHI for advertising.
Human oversight
AI produces draft content; the examining physician reviews, edits, and signs. No report is final until the responsible physician approves it.
Reporting a security concern
To request our SOC 2 report (under NDA), a copy of our BAA, or to report a security concern, contact aequitas@kronosgroup.health.