Trust at Rettromax

Built for the security and privacy review your team will run

Rettromax handles performance, feedback, and clinical-quality data with field-level encryption, per-row PHI protection, and a full audit trail. This page lays out our current security and privacy posture in the language your procurement and security teams expect.

Our security & privacy posture

Each item below describes how the product works today and where our readiness stands. We describe posture and readiness, not certifications we do not hold.

Encryption

Protected health information and other sensitive fields are encrypted at rest with field-level AES — applied at the field level rather than only at the disk level, so sensitive values stay protected throughout processing. Each organization's data is encrypted with its own key, which is in turn wrapped by a separate key-encryption key held in a managed key vault. Keys can be rotated without re-encrypting your data, and an organization's keys can be permanently destroyed on offboarding or a verified erasure request — rendering its encrypted data unrecoverable. Every key-lifecycle event is recorded in an audit trail. All data in transit is protected with TLS.

PHI protection

Incidents and clinical certifications carry a DataClassificationId, and access to protected fields is resolved per row through a CanViewPhi check — granted to the record owner, a manager with an explicit share, and org administrators. Unauthorized reads are redacted on read rather than returned, every authorized PHI read is written to an access log gated by the ViewPhiAccessLog permission, and AI detection of likely PHI is non-blocking: it suggests and notifies rather than silently mutating or rejecting data.

Audit trail

An enhanced audit log records entity-level activity across the product, including governance writes, manager-authored achievements, capability flips, and SCIM provisioning events. Audit records are view-permission gated so only authorized roles can read them. The trail is designed to answer 'who changed what, and when' during a review or investigation.

Data classification

PHI gating is shipped today and drives the per-row protection described above. A broader confidentiality classification model — covering finance, legal, government, energy, life-sciences, and nonprofit data sensitivities — is in development. We describe it as in development and make no delivery commitment on this page.

Authentication

User sign-in is handled through Firebase Authentication, supporting email, Google, and Microsoft OAuth. Single sign-on (SSO) is available on the Enterprise tier for organizations that standardize on their own identity provider. Authentication is delegated to established providers rather than home-grown password handling.

Role-based access control

Access is governed by a permission system layered with capability gating, so what a user can see and do is bounded by both their role and the features their organization has enabled. Sensitive workflows additionally pass through a three-layer privacy gate. Together these mean access is least-privilege by default and explicit by design.

Audit export

The clinical accreditation surface provides surveyor- and auditor-ready export so reviewers can be given exactly the records they need. The underlying attestation log is immutable, and reads against it are themselves logged. Exports draw from authoritative records rather than reconstructed snapshots.

HIPAA posture

We design and operate Rettromax with HIPAA in mind, and the PHI protection, access logging, and audit controls above reflect that posture. A Business Associate Agreement (BAA) is available on the Enterprise tier. We state this as posture and do not claim a HIPAA certification, which does not exist as a formal certification.

Compliance certifications

We are progressing toward formal third-party attestation, including SOC 2; reports are in progress. We do not currently hold a SOC 2 report and make no promise of a completion date on this page. When attestations are available we will share them through the security review process rather than implying them in advance.

Data residency

Customer data currently resides in a single region. We can describe the specific region and the supporting infrastructure as part of a security review. We state current residency rather than promising future multi-region options here.

Subprocessors

We use a small set of third-party subprocessors to operate the service: Firebase for authentication, Paddle for billing and payments, and Google Cloud (Vertex AI) for AI-assisted insights. We keep this list current and will provide the up-to-date subprocessor list as part of a security review. Each subprocessor is engaged for a specific, scoped purpose.

Credentialing & Peer Review

For the medical staff office. How Rettromax handles primary source verification, preserves peer-review privilege, and aligns to credentialing-program expectations — written for the security and legal review your team will run.

Primary source verification data handling

Rettromax verifies credentials natively against the primary source — CAQH, OIG-LEIE, SAM.gov, and NPDB today, with ABMS, DEA, and state licensing boards rolling out. No third-party aggregator sits between Rettromax and the source. Verification results and the raw evidence captured are stored under your organization, and NPDB queries are handled in line with NPDB data-use terms.

Peer-review privilege preservation

OPPE/FPPE and Medical Executive Committee peer-review records are firewalled by section-level access gating. The org-admin role does not supersede this gate — access requires an active committee seat, so even a CEO without one cannot see peer-review content. This separation is what keeps the peer-review privilege (federal HCQIA §1157 and the roughly 47 state peer-review statutes) intact.

Credentialing-standard alignment

Rettromax is built to align with NCQA and Joint Commission credentialing-program expectations — primary source verification, committee review, reappointment cadence, and a complete attestation trail. This is a description of our posture, not an accreditation or certification claim; your organization remains the accountable, accrediting party.

Posture, stated honestly

Throughout this page we describe how the product works today and where our readiness stands — not certifications we do not hold. If a control matters to your review, we would rather show you the mechanism than make a claim we cannot back up.

Want to see how these controls map to the workflows you would actually use? Explore the products

Run your security review with confidence

Tell us about your review process and we will share the documentation, posture details, and answers your security and procurement teams need.