Skip to main content
Tendara
Enterprise-grade security

Security and compliance, built in from day one

Tendara was built by healthcare technology veterans. In long-term care, compliance isn't optional. It's the foundation.

Open the Trust CenterRequest a security review

Looking for the subprocessor list, BAA request, or vulnerability-disclosure policy? Visit the Trust Center.

Certifications & standards

Independently verified, every year

Our security posture is validated not just by our own engineers, but by independent auditors who assess our controls against the most rigorous healthcare standards.

Self-attested

HIPAA-Aligned

Built to the Health Insurance Portability and Accountability Act. PHI is encrypted in transit (TLS 1.3) and at rest (AES-256); application-layer field encryption of resident demographics is rolling out. Access is role-based with strict per-facility isolation and audit logging.

  • PHI encrypted in transit (TLS 1.3) + at rest (AES-256)
  • Application-layer field encryption rolling out
  • Audit logging on PHI changes (read logging rolling out)
  • Self-serve BAA, countersigned within one business day
In progress — Q4 2026

SOC 2 Type II

A 12-month SOC 2 Type II observation period is in flight with an AICPA-licensed auditor, covering all five Trust Service Criteria. A Type I report is available now on request under NDA; the Type II attestation is expected Q4 2026.

  • Independent AICPA-licensed auditor
  • All 5 Trust Service Criteria
  • Type I available now under NDA
  • Type II expected Q4 2026
FIPS 140-2

256-bit TLS Encryption

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Encryption keys are managed using FIPS 140-2 compliant key management with automatic rotation.

  • AES-256 encryption at rest
  • TLS 1.3 in transit
  • FIPS 140-2 key management
  • Automatic key rotation
Multi-region

High availability

Multi-region redundancy with automatic failover ensures your facility stays operational around the clock. Real-time infrastructure status is available publicly at status.tendara.com.

  • Multi-region redundancy
  • Automatic failover
  • Real-time status monitoring
  • status.tendara.com
Platform security

Every layer of security, covered

From access controls to data recovery, Tendara provides defence-in-depth across every aspect of your facility's data.

Audit logging on PHI changes (read-access logging rolling out)
Granular role-based access controls (RBAC)
Automatic session timeouts (configurable 15–60 min)
Multi-factor authentication (MFA) support
Single Sign-On (SSO) via SAML 2.0 / OIDC (Enterprise)
IP allowlist / allowlist controls
Encrypted message content (AES-256-GCM)
Automated daily backups with 30-day retention
Point-in-time recovery (PITR)
Custom data retention policies
Business Associate Agreement (BAA) available
Penetration testing by third-party annually
Data residency

Your data stays where you need it

By default, all Tendara data is stored in US-based AWS data centers (us-east-1 and us-west-2) with full geographic redundancy. Enterprise customers can elect EU-based data residency, so no data ever leaves your selected region.

  • US data centres: AWS us-east-1 + us-west-2
  • EU data residency available for Enterprise customers
  • No cross-region data transfer without explicit consent
  • Region selection locked at account creation
Infrastructure overview
Primary regionAWS us-east-1
Failover regionAWS us-west-2
EU optionAWS eu-west-1 (Enterprise)
CDNGlobal edge network
BackupsDaily + PITR, 30-day retention
HIPAA Business Associate Agreement

We sign Business Associate Agreements

Every Tendara customer receives a fully executed Business Associate Agreement (BAA) at no additional cost. The BAA is delivered digitally and countersigned by our legal team within one business day of your account activation. Enterprise customers can request a custom BAA with negotiated terms.

Get your BAAContact legal team
Security-first from the ground up

Have questions about our security posture?

Our security team is available to walk your compliance officer, CISO, or IT leadership through our controls, audit reports, and penetration test results.

Request a security review