Moraine Labs logo Moraine Labs

Security & Compliance

Built for HIPAA settings and conservative IT. Our products are designed to keep PHI under your control, provide auditable outcomes, and fit cleanly into existing security postures.

Least privilege

Access is scoped to the minimum required for a task. Administrative elevation is time-bound and logged.

Defense in depth

Controls stack across identity, network, application, and data layers to reduce single points of failure.

Privacy by design

We minimize collection, avoid PHI in demos, and support deployments that keep sensitive data within your boundaries.

Auditability

Decisions, changes, and access are captured with tamper-evident logs and clear evidence chains.

Data protection

  • Encryption in transit: TLS 1.2+ between clients, services, and storage.
  • Encryption at rest: AES-256 or platform-equivalent for databases, object stores, and backups.
  • Key management: Managed KMS by default; customer-managed keys (BYOK/CMK) available in supported environments.
  • Secrets: Stored in a vault with strict access policies and rotation procedures.
  • Data minimization: We collect only what’s needed and retain it for the shortest practical period.
  • Backups & recovery: Encrypted backups with periodic restore tests; RTO/RPO targets defined during implementation.
  • Isolation: Single-tenant managed or on-prem deployments for stricter boundary control.
  • Egress controls: Support for outbound filtering and allow-lists where required.

Identity & access control

  • SSO/SAML or OIDC: Integrates with your identity provider for centralized auth.
  • RBAC: Role-based access and data scoping; least-privilege by default.
  • Session security: Configurable timeouts, MFA enforcement via your IdP.
  • Admin controls: Change approvals and configuration histories are logged.
  • Break-glass procedures: Documented emergency access with post-use review.
  • IP restrictions: Optional network allow-listing for managed environments.
  • Customer data ownership: You control your data; export and deletion are supported.
  • No training on your data by default: Customer data isn’t used to train shared models.

Application security & SDLC

  • Secure development lifecycle: Code review, dependency scanning, and targeted testing against OWASP Top-10 categories.
  • Change management: Versioned releases with rollback plans and audit trails.
  • Configuration as code: Declarative infrastructure where supported; peer-reviewed changes.
  • Third-party components: Inventory and update policies for libraries and images.
  • Logging & monitoring: Centralized logs with retention policies; alerts on key events.
  • Tamper-evident records: Options to produce signed artifacts and verification bundles for sensitive workflows.
  • Environment separation: Strong separation between dev/test and production.
  • Customer validation: Staging environments available for UAT where needed.

Privacy & compliance

  • HIPAA-ready deployments: Support for BAAs on eligible engagements and minimal-retention defaults.
  • SOC 2 / HITRUST alignment: Controls and practices align to common frameworks; formal attestation is part of our roadmap.
  • Vendor & subprocessor review: Risk assessment and contractual controls for third parties.
  • Data subject requests: Processes for export and deletion where applicable.
  • Model governance: Guardrails to prevent inadvertent disclosure; human-in-the-loop controls for high-risk use cases.
  • Content handling: PHI is kept within your boundary in on-prem or single-tenant managed deployments.
  • Records management: Retention schedules defined with you; exports available on request.
  • Security training: Team training on data handling and incident procedures.

Incident response & availability

  • Defined runbooks: Severity classification, containment/eradication steps, and communication plans.
  • Customer notifications: We notify affected customers per contractual and regulatory obligations.
  • Post-incident reviews: Root-cause analysis and corrective actions are documented.
  • Vulnerability handling: Triage, patch, and disclosure processes; we welcome responsible reports.
  • Business continuity: Backup and restore plans validated through periodic tests.
  • RTO/RPO: Targets established collaboratively based on your requirements and deployment choice.
  • Monitoring: Health and performance telemetry with alerting on key indicators.
  • Shared responsibility: Clear delineation of responsibilities for managed vs. on-prem deployments.

Deployment options

Single-tenant managed

Dedicated deployment with data isolation, optional IP allow-listing, and egress controls. We handle availability and updates under a defined change window.

Self-hosted on-prem

Your team operates the environment behind your controls. We provide installer, configuration guidance, and offline verification bundles for sensitive outputs.

In both models, PHI can remain inside your network boundary. We align logging and retention to your policy and provide export options for audit.

Request our security overview

Need our security questionnaire, control mapping, or a sample verification bundle? We’ll tailor materials to your evaluation.

Get in touch Email us