Built for the security and privacy review your team will run
Rettromax handles performance, feedback, and clinical-quality data with field-level encryption, per-row PHI protection, and a full audit trail. This page lays out our current security and privacy posture in the language your procurement and security teams expect.
Our security & privacy posture
Each item below describes how the product works today and where our readiness stands. We describe posture and readiness, not certifications we do not hold.
Encryption
Protected health information and other sensitive fields are encrypted at rest with field-level AES — applied at the field level rather than only at the disk level, so sensitive values stay protected throughout processing. Each organization's data is encrypted with its own key, which is in turn wrapped by a separate key-encryption key held in a managed key vault. Keys can be rotated without re-encrypting your data, and an organization's keys can be permanently destroyed on offboarding or a verified erasure request — rendering its encrypted data unrecoverable. Every key-lifecycle event is recorded in an audit trail. All data in transit is protected with TLS.
PHI protection
Incidents and clinical certifications carry a DataClassificationId, and access to protected fields is resolved per row through a CanViewPhi check — granted to the record owner, a manager with an explicit share, and org administrators. Unauthorized reads are redacted on read rather than returned, every authorized PHI read is written to an access log gated by the ViewPhiAccessLog permission, and AI detection of likely PHI is non-blocking: it suggests and notifies rather than silently mutating or rejecting data.
Audit trail
An enhanced audit log records entity-level activity across the product, including governance writes, manager-authored achievements, capability flips, and SCIM provisioning events. Audit records are view-permission gated so only authorized roles can read them. The trail is designed to answer 'who changed what, and when' during a review or investigation.
Data classification
PHI gating is shipped today and drives the per-row protection described above. A broader confidentiality classification model — covering finance, legal, government, energy, life-sciences, and nonprofit data sensitivities — is in development. We describe it as in development and make no delivery commitment on this page.
Authentication
User sign-in is handled through Firebase Authentication, supporting email, Google, and Microsoft OAuth. Single sign-on (SSO) is available on the Enterprise tier for organizations that standardize on their own identity provider. Authentication is delegated to established providers rather than home-grown password handling.
Role-based access control
Access is governed by a permission system layered with capability gating, so what a user can see and do is bounded by both their role and the features their organization has enabled. Sensitive workflows additionally pass through a three-layer privacy gate. Together these mean access is least-privilege by default and explicit by design.
Audit export
The clinical accreditation surface provides surveyor- and auditor-ready export so reviewers can be given exactly the records they need. The underlying attestation log is immutable, and reads against it are themselves logged. Exports draw from authoritative records rather than reconstructed snapshots.
HIPAA posture
We design and operate Rettromax with HIPAA in mind, and the PHI protection, access logging, and audit controls above reflect that posture. A Business Associate Agreement (BAA) is available on the Enterprise tier. We state this as posture and do not claim a HIPAA certification, which does not exist as a formal certification.
Compliance certifications
We are progressing toward formal third-party attestation, including SOC 2; reports are in progress. We do not currently hold a SOC 2 report and make no promise of a completion date on this page. When attestations are available we will share them through the security review process rather than implying them in advance.
Data residency
Customer data currently resides in a single region. We can describe the specific region and the supporting infrastructure as part of a security review. We state current residency rather than promising future multi-region options here.
Subprocessors
We use a small set of third-party subprocessors to operate the service: Firebase for authentication, Paddle for billing and payments, and Google Cloud (Vertex AI) for AI-assisted insights. We keep this list current and will provide the up-to-date subprocessor list as part of a security review. Each subprocessor is engaged for a specific, scoped purpose.
Credentialing & Peer Review
For the medical staff office. How Rettromax handles primary source verification, preserves peer-review privilege, and aligns to credentialing-program expectations — written for the security and legal review your team will run.
Primary source verification data handling
Rettromax verifies credentials natively against the primary source — CAQH, OIG-LEIE, SAM.gov, and NPDB today, with ABMS, DEA, and state licensing boards rolling out. No third-party aggregator sits between Rettromax and the source. Verification results and the raw evidence captured are stored under your organization, and NPDB queries are handled in line with NPDB data-use terms.
Peer-review privilege preservation
OPPE/FPPE and Medical Executive Committee peer-review records are firewalled by section-level access gating. The org-admin role does not supersede this gate — access requires an active committee seat, so even a CEO without one cannot see peer-review content. This separation is what keeps the peer-review privilege (federal HCQIA §1157 and the roughly 47 state peer-review statutes) intact.
Credentialing-standard alignment
Rettromax is built to align with NCQA and Joint Commission credentialing-program expectations — primary source verification, committee review, reappointment cadence, and a complete attestation trail. This is a description of our posture, not an accreditation or certification claim; your organization remains the accountable, accrediting party.
Posture, stated honestly
Throughout this page we describe how the product works today and where our readiness stands — not certifications we do not hold. If a control matters to your review, we would rather show you the mechanism than make a claim we cannot back up.
Want to see how these controls map to the workflows you would actually use? Explore the products