SECURITY

Security that's
table stakes.

Dispatch is critical infrastructure. Hatzalah.Live is built with the controls, monitoring, and operational discipline that critical infrastructure demands.

Request security pack HIPAA & BAA
SECURITY PILLARS

Defense in depth, by default

Nine layers of controls protect every byte of dispatch and medical data we process.

Encryption in transit
TLS 1.2+ enforced on every endpoint, with HSTS and modern cipher suites. Encryption-at-rest is on our roadmap.
Authentication
MFA required for all admin accounts. SSO via SAML and OIDC available for enterprise plans.
Authorization
Role-based access control with least-privilege defaults. Tenant data fully isolated.
Audit logging
Every read, write, and configuration change is logged with user, timestamp, and source IP.
Network security
Private VPCs, segmented subnets, WAF, DDoS protection, and continuously scanned dependencies.
Infrastructure
Hosted on US public-cloud infrastructure that operates SOC 2 Type II audited data centers with redundant power, cooling, and connectivity.
Backups & recovery
Automated backups with point-in-time recovery; restore procedures are documented and exercised.
Incident response
Documented IR runbooks, on-call rotation, and customer-notification commitments for security events.
Compliance
HIPAA-aware design, BAAs available, and a security-testing program that grows with the platform.
OUR PROGRAM

Security as a daily practice

These are the operating routines that keep our controls effective — not just documented.

Secure development

  • Peer review on code changes before they ship to production.
  • Dependency vulnerability scanning integrated into the build.
  • Threat-modeling for new architecture and integrations.
  • Secrets stored in a managed secrets store — never committed to source.

Operations & monitoring

  • Production alerting on uptime, latency, and security signals.
  • Centralized log aggregation with retention configured per environment.
  • Monitoring of authentication and admin actions for unusual patterns.
  • Periodic access reviews for production systems and credentials.

People & process

  • Background checks for personnel with production access, in accordance with applicable law.
  • Security and HIPAA training for personnel with PHI access.
  • Documented offboarding with prompt credential revocation.
  • Designated Security Officer accountable for the program.
REPORT A VULNERABILITY

Found something? We want to hear about it.

We welcome reports from security researchers and the broader community. Please send a description of the issue, steps to reproduce, and any proof-of-concept material to [email protected]. We commit to acknowledging valid reports within one business day and to working with you in good faith.

Please do not access or modify customer data, disrupt service, or share details publicly until we’ve had time to investigate.

READY TO DIG IN?

Get our full security pack.

We respond to security questionnaires (DDQ, SIG, HECVAT) within one business day.

Email [email protected] Read HIPAA details