Trust Center
Security at Tendara
Everything a procurement or IT-security team would ask for in vendor due diligence, answered honestly, kept current as our program matures.
Section 01
Compliance & certifications
What's certified today, what's in audit, what's roadmapped, and what we can provide on request.
HIPAA
Authority: Self-attested + customer-driven third-party audits
Tendara is HIPAA-aligned: PHI encryption in transit and at rest, audit logging on PHI changes (read-access logging rolling out), BAA available for every customer, and breach-notification procedures documented and tested.
Business Associate Agreement (BAA)
Self-serve BAA — fill in your details, e-sign, and we counter-sign within 1 business day. Custom redlines can still be submitted via jimish2104gajjar@gmail.com.
SOC 2 Type II
Authority: AICPA-licensed CPA firm (assigned at engagement)
12-month observation period in flight with an AICPA-licensed auditor. Type I report available now on request under NDA; Type II attestation expected Q4 2026.
HITRUST CSF (e1)
HITRUST CSF e1 (Essentials) certification roadmapped for 2027. We've internally mapped 80% of e1 controls and use HITRUST as our framework for security-program maturity.
ISO 27001
We follow ISO 27001 controls internally as part of our SOC 2 program. Formal ISO certification is on the multi-year roadmap; tell us if it's a procurement blocker for you.
GDPR
Tendara primarily serves US-based customers. We have a draft DPA template available for EU/UK customers and have implemented GDPR data-subject-rights workflows (access, rectification, erasure).
Section 02
Encryption & data handling
How customer data is stored, transmitted, and isolated, including the parts still in flight.
Encryption in transit
TLS 1.3 enforced on every connection. HSTS preload list submitted. Internal service-to-service traffic encrypted with mTLS.
Encryption at rest
AES-256 encryption on all database storage, file storage, and backups. Keys managed by AWS KMS with quarterly rotation.
Field-level PHI encryption
In progressFirst names, last names, phone numbers, and free-text PHI fields encrypted at the application layer with per-tenant keys before reaching the database. Even with database access, raw PHI is unrecoverable without the application key.
Customer-managed encryption keys (CMEK / BYOK)
PlannedEnterprise customers can supply their own KMS-managed keys. Available on the Enterprise plan; ask security@ to scope.
Audit-log immutability
In progressAudit logs streamed to S3 with Object Lock (write-once, read-many) and a 7-year retention policy. Tampering is mathematically detectable, not just procedurally prevented.
Data residency
All customer data stored exclusively in US data centers. EU residency available on the Enterprise plan via dedicated tenancy in eu-west-1.
Section 03
Subprocessors
Every third party that can technically reach customer data, what they do for us, and where they process it.
We notify customers at least 30 days before adding a new subprocessor that can process PHI. Subscribe to subprocessor updates by emailing jimish2104gajjar@gmail.com.
| Provider | Purpose | Location | Data categories | BAA |
|---|---|---|---|---|
| Vercel | Web hosting and edge network | United States (Amazon Linux Lambda, AWS us-east-1) | Page request metadataServer logsPHI in transit | Yes |
| Neon | Managed PostgreSQL database | United States (AWS us-east-1) | Resident recordsPHI at restAudit logs | Yes |
| Cloudflare | DNS, CDN, DDoS protection | Global edge network | Page request metadataIP addresses (anonymized) | N/A |
| SendGrid | Transactional email delivery (notifications, demo requests) | United States | Recipient emailEmail content (de-identified where possible) | Yes |
| PostHog | Product analytics (no PHI) | United States (us.i.posthog.com) | Anonymous page viewsFeature-usage eventsUser IDs (internal only) | N/A |
| AWS S3 | Document and image storage | United States (AWS us-east-1) | Resident documentsCare-plan attachmentsFamily-uploaded photos | Yes |
| Sentry | Error monitoring and stack traces | United States | Server-side error stacksAnonymized session breadcrumbs | Yes |
Section 04
Incident response
What happens when something goes wrong, from triage to customer notification.
Acknowledgement
Within 24hWe acknowledge security reports within 24 hours.
Triage
Within 72hInitial triage complete within 72 hours of acknowledgement.
Resolution
By severityCritical-severity issues remediated within 7 days; high-severity within 30 days. Lower-severity issues land in a public changelog entry once shipped.
Customer notification
Within 72h of confirmationIf a security incident affects customer data, we notify affected customers within 72 hours of confirmation, by email and dashboard banner. We share what we know and what we're investigating, and update every 24 hours until resolved.
Real-time status
Public uptime monitoring, incident history, scheduled maintenance.
Section 05
Vulnerability disclosure
Found something? Here's how to tell us, and what to expect back.
Report a vulnerability
jimish2104gajjar@gmail.comIn scope
Anything reachable at *.tendara.health, *.tendara-web.vercel.app, the staging environment, or our public iOS/Android apps once launched.
Out of scope
- Denial-of-service attacks
- Social engineering of Tendara staff or customers
- Physical security testing
- Third-party services (please report to the vendor directly)
Rewards: Security research is appreciated. We don't run a paid bounty program today, but high-quality reports are publicly credited (with permission) and reach the founder directly.
Doing security due-diligence on Tendara?
Reach our security team directly. We respond fast, share documents under NDA, and don't play vendor-questionnaire ping-pong.