Foresight is a HIPAA-eligible Business Associate. We sign a Business Associate Agreement (BAA) before any production access to PHI is granted.Documentation Index
Fetch the complete documentation index at: https://docs.have-foresight.app/llms.txt
Use this file to discover all available pages before exploring further.
Our controls
| Control | Implementation |
|---|---|
| Encryption at rest | AWS KMS-managed CMKs, FIPS 140-2 validated. |
| Encryption in transit | TLS 1.2+ on every connection. |
| Audit logging | Every PHI read/write logged with actor, time, scope. |
| Access controls | Per-organization isolation; least-privilege scopes. |
| Backup | RDS automated backups, point-in-time recovery 30 d. |
| Vulnerability management | Continuous SAST (Qodo), dependency scanning (Socket.dev, Dependabot). |
| Annual security assessment | SOC 2 Type II in progress; HITRUST CSF underway. |
| Sub-processor management | Public list at /compliance/subprocessors. |
Your responsibilities (shared model)
You’re responsible for:- API key safety. Treat keys as credentials.
- Webhook signature verification. Always verify before acting.
- Authorized users. Only assign Foresight access to workforce members with a business need.
- Reporting. Notify us within 24 hours of any suspected breach.
BAA process
- Email contracts@have-foresight.com to begin.
- Counter-signed BAA returned within 5 business days.
- Production keys provisioned after the signed BAA is on file.