Brellium security & compliance
Brellium is HIPAA and SOC 2 compliant. Data is encrypted in transit and at rest. Your data is stored in the USA in the cloud.
Flow of data
Brellium makes API call to EMR via HTTPS
EMR returns clinical note contents
Note written to secure Brellium S3 bucket and encrypted
Audit completed in Brellium’s secure AWS/Azure environment
Audit results written to Brellium’s secure database powered by AWS RDS
Audit results encrypted
Security and Compliance at Brellium
Brellium maintains a SOC 2 Type II attestation and is HIPAA compliant.
Enterprise-grade security and compliance
Brellium is built for organizations that demand the highest standards of data protection and regulatory compliance.
SOC 2 Type II Attested
Independent third-party audit confirms our security controls meet the highest industry standards for data handling and protection.
End-to-End Encryption
All data is encrypted in transit via HTTPS/TLS 1.2+ and at rest using AES-256 encryption in our secure AWS infrastructure.
Role-Based Access Control
Granular permissions and SSO via Okta/Auth0 ensure only authorized personnel access sensitive clinical data.
Dedicated Data Isolation
Each customer's data is stored in individual, isolated S3 buckets — never co-mingled with other organizations.
BAA Available by Default
We execute a Business Associate Agreement with every customer as standard practice — no special requests needed.
Annual Penetration Testing
Regular third-party penetration tests and risk assessments ensure our defenses stay ahead of evolving threats.
Frequently Asked Questions
Yes. Brellium is HIPAA compliant and has completed SOC 2 Type I and Type II with Secureframe and the Johanson Group. Reports are available upon request.
Yes. API requests are made via encrypted HTTPS. Data is encrypted at rest in a secure AWS S3 bucket.
All data is stored in a cloud-based, secure, encrypted AWS S3 bucket in an AWS datacenter in Ohio. We have no on-premises or overseas datacenter infrastructure.
No. Each customer’s data is kept in an individual S3 bucket, segmented off from every other customer’s data.
Yes. We use Okta/Auth0 for authentication, meaning your organization can login via SSO.
By default, customer data is stored for 4 years to ensure easy querying in event of an audit. We can accommodate requests for longer and shorter retention periods by request.
Yes, the most recent pen test was completed on 3/2/25. Report is available upon request.
$5mm 1st Party Cyber • $5mm 3rd Party Cyber • $5mm Commercial General Liability (Per Occurrence) • $7mm Commercial General Liability (Aggregate) • $3mm Umbrella • $1mm Workers Compensation • $1mm Professional Liability / E&O. Insurance providers are A/A+ rated (Nationwide and Hartford).
No.
As of February 2025, our subcontractors include AWS, Azure, Anthropic, Google, Mixpanel, EMAPTA, Builders, and MongoDB. We have a BAA in place with each. We are highly selective of subcontractors, and if we add more we require a BAA in place.
For any code change to go to production, it must be reviewed and approved by a senior IT employee. We have CI/CD workflows in place to streamline deployments and minimize bugs.
Multi-tenant.
Yes. Each Brellium employee completes HIPAA compliance training annually.
In the event of a security breach involving PHI, Brellium will immediately take action to contain the breach, report the breach to the client, and conduct an investigation to determine the root cause of the breach.
Yes. The most recent disaster response drill took place on 3/4/25.
Yes. The most recent risk assessment took place on 3/4/25.
Delaware C-Corporation.
Privately held.
Measurable impact from day one
Healthcare organizations that switch to Brellium see transformational improvements in compliance, cost, and clinical quality.