Trust & Safety

Security at Rx Contract IQ

We handle sensitive healthcare contract data. Security isn't an afterthought โ€” it's foundational to everything we build. Here's how we protect your data.

Last reviewed: January 2026
HIPAA Compliant
AES-256 Encryption
SOC 2 Type II
TLS 1.3 In Transit
Annual Pen Testing
๐Ÿ”
Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed through a dedicated key management service with automatic rotation.
๐Ÿ—๏ธ
Infrastructure
Hosted on AWS with multi-region redundancy. Infrastructure is provisioned as code, version-controlled, and reviewed before every change. No manual production access.
๐Ÿ‘ค
Access Controls
Role-based access control (RBAC) with least-privilege principles. All internal access requires MFA. Privileged access is time-limited, logged, and reviewed quarterly.
๐Ÿ“‹
Audit Logging
Comprehensive audit trails capture all data access, configuration changes, and authentication events. Logs are immutable, centralized, and retained for a minimum of 12 months.
๐Ÿงช
Penetration Testing
Annual third-party penetration tests conducted by certified security firms. Critical findings are remediated within 48 hours; high findings within 7 days. Results available under NDA.
๐Ÿ”„
Business Continuity
Automated backups with point-in-time recovery. RTO of 4 hours and RPO of 1 hour. Disaster recovery procedures are tested bi-annually with documented runbooks.
๐Ÿ›ก๏ธ
Vulnerability Management
Continuous dependency scanning, static code analysis, and container image scanning integrated into our CI/CD pipeline. Critical CVEs are patched within 24 hours of disclosure.
๐Ÿ‘ฅ
Employee Security
All employees complete security awareness training at hire and annually thereafter. Background checks are required for roles with access to production systems or customer data.

HIPAA & Healthcare Data

As a platform that processes pharmacy benefit data, we understand the unique compliance requirements of the healthcare industry. We operate as a HIPAA Business Associate for applicable customers and are prepared to execute a Business Associate Agreement (BAA) upon request.

Protected Health Information (PHI) is handled with strict access controls, stored in dedicated HIPAA-eligible infrastructure, and never used for purposes other than delivering the contracted services.

Responsible Disclosure

We take security vulnerabilities seriously. If you believe you have discovered a security issue in our platform, please report it responsibly to [email protected]. We commit to acknowledging your report within 24 hours, keeping you informed of our progress, and not pursuing legal action against good-faith researchers who follow our disclosure guidelines.

Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them.

Contact Our Security Team

For security inquiries, BAA requests, or to report a vulnerability, contact us at