Skip to content
TowerHQ
Register interest
Trust center

Security & compliance posture

TowerHQ is designed for organizations that can't afford a misconfigured PHI bucket. Every architectural choice — data model, CI gates, AI governance, audit logging — reflects that.

PHI handling

Protected Health Information is encrypted at the field level, redacted in logs by centralized middleware, and never committed to fixtures or snapshots. CI runs a PHI isolation probe on every PR.

  • Field-level encryption for PHI/PII at rest
  • Redaction middleware on all structured logging
  • No PHI in test fixtures — CI fails on pattern match
  • 42 CFR Part 2 workflows for substance use disorder records
  • Break-glass access is allowed and logged, not hidden

Multi-tenant isolation

Every table carries tenant_id. Postgres row-level security enforces isolation at the database layer with a session-scoped current_tenant_id. A build-time lint rule fails if a Prisma model is missing tenantId.

  • Shared DB with per-tenant RLS — dedicated-DB escape hatch for gov/enterprise
  • Two-tenant cross-access probe runs in CI
  • Per-tenant retention engine with legal-hold override
  • Full-export deletion on tenant close

AI governance

All AI inference flows through AIGateway. Direct SDK calls from app code fail CI. Every AI output carries confidence, model version, and prompt hash. Human sign-off is required on anything that affects a claim or patient record.

  • BAA required before any external-provider PHI inference
  • Per-tenant opt-in per AI provider, logged in audit trail
  • Quarterly model cards with golden-pair evaluation results
  • On-prem Llama fallback for tenants that forbid external inference

Access, auth, audit

SSO via SAML and OIDC with per-tenant enforcement policy. MFA with TOTP, WebAuthn/passkeys, SMS fallback. Every mutating action lands in a tamper-evident, hash-chained audit log.

  • SAML + OIDC (Entra, Okta, Google Workspace, OneLogin, Ping, JumpCloud)
  • SCIM 2.0 for provisioning
  • Hash-chained audit log — tamper-evident, per-tenant exportable
  • Session management with device tracking

Regulatory posture

Targeting SOC 2 Type II, HIPAA, HITECH, 42 CFR Part 2, FedRAMP and StateRAMP readiness, GDPR/CCPA with DSAR and deletion tooling, and CAPCE accreditation for the native LMS.

  • SOC 2 Type II — audit-ready design from day one
  • Annual pen test with public summary (F409)
  • Vulnerability disclosure program via HackerOne (F410)
  • 99.9% / 99.95% / 99.99% SLA tiers
  • CAPCE accreditation target for native CE delivery