Security & Compliance

Compliance Certifications

HIPAA

Business Associate Agreement available. Full compliance with Privacy and Security Rules.

Status: Certified

SOC 2 Type II

Annual audit covering security, availability, and confidentiality controls.

Status: Certified

HITRUST CSF

Healthcare-specific security framework certification.

Status: In Progress

FDA 21 CFR Part 11

Electronic records and signatures compliance for SaMD applications.

Status: Compliant

BAA Available: Rubric signs Business Associate Agreements (BAAs) with all customers handling PHI. Contact your account manager or email [email protected] to execute a BAA.

Security Overview

PHI Handling

Comprehensive controls for protected health information throughout the data lifecycle.

Encryption

AES-256 encryption at rest, TLS 1.3 in transit. Customer-managed keys available.

Access Logging

Complete audit trail of all data access with tamper-evident logging.

Data Retention

Configurable retention policies with secure deletion and compliance holds.

Infrastructure Security

Control	Implementation	Details
Cloud Provider	AWS GovCloud / AWS Commercial	Region selection based on data residency requirements
Network Security	VPC isolation, WAF, DDoS protection	Private endpoints available for enterprise
Compute	Hardened containers, no persistent storage	Stateless application tier
Database	Amazon RDS with encryption	Multi-AZ deployment, automated backups
Object Storage	S3 with server-side encryption	Versioning enabled, cross-region replication
Secrets Management	AWS Secrets Manager	Automatic rotation, audit logging
Identity	AWS IAM, SSO integration	Role-based access, MFA required

Data Flow Security

Ingestion → Processing → Storage → Access

Ingestion: TLS 1.3 encryption, API key auth, request signing
Processing: Isolated compute, no disk persistence, memory encryption
Storage: AES-256 encryption, customer-managed keys optional
Access: RBAC, audit logging, session management

Access Controls

Rubric implements role-based access control (RBAC) with predefined roles for healthcare AI workflows:

Role	Permissions	Typical Users
Organization Admin	Full access, user management, billing, security settings	IT administrators, compliance officers
Project Admin	Full project access, team management, integrations	ML team leads, project managers
Evaluator	Create evaluations, view results, manage datasets	ML engineers, data scientists
Reviewer	Submit reviews, view assigned samples	Clinicians, medical reviewers
Viewer	Read-only access to results and reports	Stakeholders, executives
API Only	Programmatic access only, no UI	Service accounts, CI/CD

rbac_example.py

# Invite user with specific role
client.organization.invite_user(
    email="[email protected]",
    role="reviewer",
    projects=["patient-triage"],

    # Optional: Require MFA
    require_mfa=True,

    # Optional: Set session timeout
    session_timeout_minutes=60
)

# Create service account for CI/CD
service_account = client.organization.create_service_account(
    name="github-actions",
    role="evaluator",
    projects=["patient-triage"],

    # Restrict by IP
    allowed_ips=["203.0.113.0/24"]
)

Security Best Practices

Practice	Description
Enable Multi-Factor Authentication	Require MFA for all users accessing PHI. SSO with your IdP is supported.
Use Least Privilege Access	Assign minimum necessary permissions. Use project-scoped roles when possible.
Rotate API Keys Regularly	Set up automatic key rotation or rotate manually every 90 days.
Review Audit Logs	Regularly review access logs for anomalies. Set up alerts for suspicious activity.
Configure Data Retention	Set appropriate retention periods for your compliance requirements.
Use Private Endpoints	For enterprise deployments, use VPC private endpoints to avoid public internet.

Security Documentation

Request additional security documentation for your compliance review:

SOC 2 Type II Report
Security Architecture Whitepaper
Penetration Test Executive Summary
Business Associate Agreement (BAA)
Data Processing Agreement (DPA)
Vendor Security Questionnaire (CAIQ, SIG, Custom)

Security Review: Contact [email protected] to request security documentation or schedule a security review call with our team.

Home

Getting Started

Core Concepts

Onboarding Guides

Evaluation Framework

Tutorials

Integrations

Security & Compliance

Voice AI

Medical Imaging

Clinical Notes

Workflows

Glossary & Appendix

Security & Compliance

Compliance Certifications

HIPAA

SOC 2 Type II

HITRUST CSF

FDA 21 CFR Part 11

Security Overview

PHI Handling

Encryption

Access Logging

Data Retention

Infrastructure Security

Data Flow Security

Access Controls

Security Best Practices

Security Documentation

Home

Getting Started

Core Concepts

Onboarding Guides

Evaluation Framework

Tutorials

Integrations

Security & Compliance

Voice AI

Medical Imaging

Clinical Notes

Workflows

Glossary & Appendix

​Compliance Certifications

HIPAA

SOC 2 Type II

HITRUST CSF

FDA 21 CFR Part 11

​Security Overview

PHI Handling

Encryption

Access Logging

Data Retention

​Infrastructure Security

​Data Flow Security

​Access Controls

​Security Best Practices

​Security Documentation

Compliance Certifications

Security Overview

Infrastructure Security

Data Flow Security

Access Controls

Security Best Practices

Security Documentation