Is Sapt HIPAA compliant?

Sapt offers HIPAA-ready infrastructure through our partnership with Neon, which provides HIPAA-compliant PostgreSQL databases with Business Associate Agreements (BAA). We implement administrative, physical, and technical safeguards to protect PHI.

Does Sapt have SOC 2 certification?

Sapt is actively working toward SOC 2 Type II certification. We have implemented the security controls and practices required for certification and are in the audit preparation phase.

How does Sapt protect customer data?

We employ multiple layers of protection including AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access controls, comprehensive audit logging, and regular security assessments.

How does Sapt secure AI and LLM features?

We implement defense-in-depth for AI features including prompt injection prevention, input sanitization, output filtering, strict tool boundaries for AI agents, and regular adversarial red team testing. Customer data is never used to train models, and all AI interactions are logged for audit purposes.

Does Sapt use customer data to train AI models?

No. We have strict zero-training policies with all AI providers. Your data is used only to process your specific requests and is never used to train, fine-tune, or improve AI models. We maintain contractual agreements with providers like Anthropic, OpenAI, and Google that explicitly prohibit training on customer data.

Security & Compliance | HIPAA, SOC 2, AI & LLM Security

Our Commitment to Security

At Sapt, we take security seriously. Our infrastructure is designed to meet stringent compliance requirements while providing the flexibility your business needs. We implement industry-standard security practices and partner with certified infrastructure providers to protect your data.

HIPAA-Ready Infrastructure

For healthcare and wellness businesses handling Protected Health Information (PHI), we provide HIPAA-compliant infrastructure through our partnership with Neon, a SOC 2 Type 2 certified database provider.

Three-Layer Safeguard Approach

Administrative Safeguards: Comprehensive policies, procedures, and staff training ensure ongoing HIPAA compliance across our organization.
Physical Safeguards: Data centers with restricted access controls, 24/7 monitoring, and secure facility management protect physical infrastructure.
Technical Safeguards: Encryption at rest and in transit, access controls, audit logging, and automatic session management protect electronic PHI.

Business Associate Agreement

We execute Business Associate Agreements (BAAs) with customers who require HIPAA compliance. Our BAA covers the storage, processing, and transmission of PHI within the Sapt platform.

Comprehensive Audit Logging

All access to PHI is logged through multiple audit trail mechanisms, including application-level logging and database audit logs (pgAudit). Logs capture user actions, SQL operations, and access patterns while protecting sensitive credentials.

SOC 2 Certification Journey

We are actively working toward SOC 2 Type II certification, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy.

Trust Service Criteria

Security: Protection against unauthorized access through firewalls, intrusion detection, and multi-factor authentication.
Availability: Systems are available for operation and use as committed through SLAs and redundant infrastructure.
Confidentiality: Information designated as confidential is protected through encryption and access controls.
Privacy: Personal information is collected, used, retained, and disclosed in conformity with privacy commitments.

Current Status: We have implemented the required security controls and are in the audit preparation phase. Our infrastructure partners, including Neon and Cloudflare, maintain SOC 2 Type II certifications.

Data Security Practices

We employ multiple layers of security to protect your data throughout its lifecycle.

Encryption

At Rest: AES-256 encryption for all stored data
In Transit: TLS 1.3 for all data transmission
Backups: Encrypted database backups with point-in-time recovery

Access Controls

Role-based access control (RBAC) for all systems
Multi-factor authentication (MFA) for administrative access
Principle of least privilege for all access grants
Regular access reviews and permission audits

Infrastructure Security

Cloudflare WAF and DDoS protection
Isolated compute environments per customer
Automated vulnerability scanning and patching
Geographic data residency options

AI & LLM Security

As AI capabilities become central to modern business platforms, we implement rigorous security measures specifically designed for large language models and AI agents. Our approach follows defense-in-depth principles with multiple layers of protection.

Data Privacy & Isolation

Zero Training Policy: Your data is never used to train, fine-tune, or improve AI models. We maintain explicit contractual agreements with all providers (Anthropic, OpenAI, Google) prohibiting training on customer data.
Data Isolation: Each customer's context is strictly isolated. AI systems cannot access data across customer boundaries.
Minimal Data Exposure: We follow data minimization principles, sending only necessary context to AI models and stripping sensitive fields when possible.
Secure Transit: All AI API calls use TLS 1.3 encryption with certificate pinning where supported.

Prompt Injection Defense

Prompt injection is one of the most significant risks in LLM-powered applications. We implement multiple layers of defense:

Input Sanitization: All user inputs are validated, sanitized, and checked for known injection patterns before reaching AI systems.
Structured Prompts: System prompts use clear delimiters and structured formats that resist manipulation attempts.
Output Filtering: AI responses are scanned for sensitive data leakage, instruction echoing, and anomalous patterns before being returned to users.
Context Boundaries: User-provided content is clearly separated from system instructions using proven delimiter strategies.
Behavioral Guardrails: AI systems are configured with explicit boundaries on what actions they can and cannot perform.

Agent Security & Tool Boundaries

For AI agents that can take actions on behalf of users, we implement strict security controls:

Principle of Least Privilege: AI agents are granted only the minimum permissions required for their specific function.
Tool Allowlisting: Agents can only access explicitly approved tools and APIs. All tool calls are validated against allowlists.
Rate Limiting: Strict rate limits prevent runaway agent behavior and limit blast radius of potential compromises.
Action Confirmation: High-impact actions require explicit user confirmation before execution.
Sandboxed Execution: Agent code execution occurs in isolated environments with no access to production systems or customer data stores.

Adversarial Testing & Red Teaming

We proactively test our AI systems against attack scenarios:

Regular Red Team Exercises: Internal and external security teams conduct adversarial testing against our AI features, attempting prompt injections, jailbreaks, and privilege escalation.
Automated Attack Simulation: Continuous automated testing with known attack patterns and novel variations to identify vulnerabilities.
Threat Modeling: Each AI feature undergoes threat modeling to identify potential attack vectors before deployment.
Incident Response Plans: Documented procedures for responding to AI-specific security incidents, including model behavior anomalies.

Model Governance & Audit

Provider Vetting: We partner only with established AI providers (Anthropic, OpenAI, Google) who maintain SOC 2 compliance and clear security practices.
Version Control: All model versions and prompt templates are version-controlled with change tracking and rollback capabilities.
Comprehensive Logging: All AI interactions are logged with full context for audit purposes, excluding sensitive data fields.
Anomaly Detection: Automated monitoring detects unusual patterns in AI behavior, token usage, or response characteristics.

Human Oversight

Human-in-the-Loop: Critical decisions and high-stakes actions require human review and approval.
Escalation Paths: AI systems are configured to escalate to human operators when confidence is low or requests are ambiguous.
Override Controls: Administrators can immediately disable AI features or revert to manual workflows if issues arise.
Regular Review: AI outputs and decisions are periodically reviewed by human teams to ensure quality and safety.

Trusted Infrastructure Partners

We partner with industry-leading infrastructure and AI providers who maintain their own rigorous compliance certifications:

Infrastructure

Cloudflare: Edge network & security — SOC 2 Type II, ISO 27001, PCI DSS
Neon: Serverless PostgreSQL — SOC 2 Type II, HIPAA, BAA available
AWS: Cloud infrastructure — SOC 2 Type II, HIPAA, FedRAMP

AI Providers

Anthropic: Claude AI models — SOC 2 Type II, zero data retention options, HIPAA BAA available
OpenAI: GPT models — SOC 2 Type II, zero data retention options, enterprise agreements available
Google Cloud: Gemini & Vertex AI — SOC 2 Type II, ISO 27001, HIPAA BAA available

Questions About Security?

We're happy to discuss our security practices, provide additional documentation, or answer questions about compliance requirements for your specific use case.

Email: support@sapt.ai

Security & Compliance