Encryption everywhere
TLS 1.2+ in transit on every external surface. Database, object storage, and field level credential storage encrypted at rest with AWS managed keys.
Security & Compliance
PHI-grade infrastructure, by design.
Kavera is built on AWS with HIPAA aligned controls across the stack. We sign Business Associate Agreements with every customer practice and maintain a documented compliance program.
Security controls
Role based access
Roles for surgeons, providers, billing staff, medical assistants, and administrators — each scoped to the workflow they own. No shared accounts.
Multi factor authentication
Email delivered verification codes on every sign in for clinical users. Sessions expire after 30 minutes of inactivity.
Audit logging
Every authenticated action — logins, record reads, signatures, configuration changes — captured in a structured, append only log. Required by 45 CFR § 164.312(b).
Tenant isolation
Every practice gets a branded subdomain and isolated data scope. Sessions issued for one tenant cannot be replayed against another.
Documented compliance program
Security Risk Assessment, Incident Response Plan, Disaster Recovery Runbook, and Workforce Training Program — maintained and available to your compliance team.
Common questions
What compliance and security questions do practices ask?
- Is Kavera HIPAA compliant?
- Yes. Kavera is HIPAA aligned, runs on AWS native infrastructure with HIPAA aligned controls across the stack, and signs a Business Associate Agreement with every customer practice.
- How does Kavera encrypt patient data?
- TLS 1.2 or higher in transit on every external surface. Database, object storage, and field level credential storage are encrypted at rest with AWS managed keys.
- Does Kavera require multi factor authentication?
- Yes. Email delivered verification codes are required on every clinical user sign in, and sessions expire after 30 minutes of inactivity.
- Does Kavera maintain an audit log?
- Yes. Every authenticated action including logins, record reads, signatures, and configuration changes is captured in a structured, append only log as required by 45 CFR Section 164.312(b).
- How is tenant data isolated between practices?
- Every practice gets a branded subdomain and isolated data scope. Sessions issued for one tenant cannot be replayed against another.
- What compliance documents does Kavera provide?
- Available under NDA: Business Associate Agreement template, Security Risk Assessment per 45 CFR Section 164.308(a)(1)(ii)(A), Incident Response Plan, Disaster Recovery Runbook, and Workforce Training Program.
For your compliance team
What compliance documents does Kavera provide?
- Business Associate Agreement (BAA) template
- Security Risk Assessment (45 CFR § 164.308(a)(1)(ii)(A))
- Incident Response Plan
- Disaster Recovery Runbook
- Workforce Training Program