QRRXQR Rx
    Trust Center

    Built for healthcare, from day one.

    QR Rx is engineered to meet HIPAA from the first patient record onward. Encryption, BAA-covered infrastructure, role-based access, audit logging, and a full subprocessor disclosure live here so a procurement team can finish their review in one read.

    01

    Encryption

    • All data is encrypted in transit using TLS 1.2+
    • All data is encrypted at rest on our database and storage servers
    • Patient access PINs are hashed before storage
    • JWT tokens are signed with a secure secret and expire after 24 hours
    02

    Infrastructure

    • Hosted on Render's HIPAA-compliant infrastructure with a signed BAA
    • File storage on AWS S3 with a signed BAA
    • Database hosted on Render Postgres with automatic backups
    • All services run in isolated, hardened environments
    03

    HIPAA Compliance

    • Business Associate Agreements (BAAs) signed with all infrastructure and service providers
    • No Protected Health Information (PHI) is transmitted to third-party AI services
    • Emails and SMS messages contain no PHI, only first names and secure links
    • AI-powered features use procedure-level content only, never patient identifiers
    04

    Access Controls

    • Role-based access control: Owner, Practitioner, Admin, and Staff roles
    • Patient verification requires QR token + 6-digit PIN + date of birth
    • Login rate-limited to 5 attempts per 15 minutes
    • Patient verification rate-limited to 5 attempts per hour
    • Team members can only access data within their assigned practice
    05

    Audit & Monitoring

    • All API requests are logged in a tamper-evident audit trail
    • Patient engagement events are tracked for provider visibility
    • Email delivery is logged with suppression list management
    • Legal acceptances are recorded with timestamp, IP address, and user agent
    06

    Patient Privacy

    • Patients access care plans via a secure, time-limited browser session. No account required.
    • Patient sessions automatically expire after the recovery period ends
    • SMS delivery of care plans requires explicit patient opt-in consent
    • No patient data is sold or shared with third parties
    07

    Data Retention

    • Patient access audit log (patient_view) preserved indefinitely per HIPAA Security Rule
    • API access audit log (http_request) retained 90 days, then pruned by daily cron
    • EHR launch session payloads expire 30 minutes after issuance
    • Provider data snapshots retained 90 days per provider, capped at 50 most recent
    • Account closure: clinic data retained 6 years per HIPAA, then permanently deleted on request
    08

    Incident Response

    • Designated Security Official: dnelson@qrrx.io. Active during business hours, on-call for confirmed incidents.
    • Breach notification: affected covered entities notified within 60 days of confirmed PHI breach (HIPAA Breach Notification Rule)
    • Incident triage runbook: identify scope, contain, document, notify affected parties, root-cause analysis
    • Patient-side error capture via /api/client-errors with PHI scrubbing before storage
    • Active-incident contact: trust@qrrx.io flagged URGENT in subject line
    09

    Continuous Monitoring

    • Server-side error logging with PHI-scrubbing fingerprint dedup
    • Per-IP rate limiting on every public endpoint (login, patient verification, lead form, subscribe, dispute, review)
    • Cloudflare Turnstile bot protection on every public POST surface
    • Stripe webhook signature verification + idempotent event handling
    • Automated subscription state reconciliation across Stripe and the directory verified-aftercare badge
    • Annual third-party penetration test scheduled for Q4 2026 (results available via trust@qrrx.io under NDA)
    Subprocessors

    Every external service that touches QR Rx data, in one table.

    A subprocessor is a third party we use to run the platform. We disclose every one, its function, the data classification, and BAA status. PHI = Protected Health Information; "BAA signed" means we have a Business Associate Agreement on file with that vendor; "BAA not required" means the vendor does not process PHI by architectural design (procedure-level content only, or billing-only data).

    LAST UPDATED · MAY 1, 2026 · subscribe to changes

    Infrastructure
    • Render

      Application hosting + Postgres database

      US
      PHIBAA Signed
    • AWS S3

      Logo + asset storage, provider data snapshots

      US
      PHIBAA Signed
    Communications
    • Paubox

      Transactional email delivery (HIPAA-covered)

      US
      PHIBAA Signed
    • Telnyx

      SMS delivery (care plan links + reminders)

      US
      PHIBAA Signed
    AI / Translation
    • Anthropic (Claude)

      Patient Q&A + template parsing (procedure content only, no PHI)

      US
      No PHIBAA N/A
    • Google Translate

      Care plan translation (procedure content only, no PHI)

      US / global
      No PHIBAA N/A
    Billing
    • Stripe

      Subscription billing + payment processing

      US / global
      No PHIBAA N/A

    Need our DPA, security questionnaire (CAIQ / SIG), or vendor-risk packet? Email trust@qrrx.io and we'll send the latest. We respond within one business day.

    Compliance

    Questions about our security posture?

    If you'd like to review our BAA, request a security questionnaire, or discuss compliance, we're happy to help.

    Privacy PolicyTerms of ServiceBAASMS Consent