Skip to main content
Provcreda

Security and compliance readiness

Controls mapped to HIPAA, SOC 2, and ISO 27001 expectations.

Provcreda is built for sensitive provider credentialing and enrollment work. Our program combines secure portal intake, role-based access, tenant scoping, audit trails, encryption practices, vendor review, incident readiness, and evidence collection across the website, client portal, provider portal, employee portal, and supporting operations.

This page describes readiness and control alignment. It is not an HHS/OCR certification, SOC 2 report, or accredited ISO 27001 certificate. Formal third-party attestation claims will only be made after the applicable independent audit or certification is complete.

Framework mapping

Three trust programs, one practical control system.

The same operational controls support multiple frameworks: protect sensitive data, restrict access, preserve evidence, manage vendors, train the workforce, monitor risk, and keep public marketing paths separate from secure service delivery.

HIPAA

HIPAA-aligned safeguards

Readiness program active

Provcreda maps PHI and ePHI handling to administrative, physical, and technical safeguards, including minimum necessary workflows, secure portal intake, access controls, audit logging, encryption practices, BAA/vendor review, incident response, and training evidence.

SOC 2

SOC 2 readiness

Mapped controls, no CPA report yet

Provcreda's security program is organized around SOC 2 Trust Services Criteria themes for security, availability, confidentiality, processing integrity, and privacy. A formal SOC 2 examination must be performed by an independent CPA firm before any SOC 2 attestation claim is made.

ISO 27001

ISO 27001-aligned ISMS

ISMS documentation in progress

Provcreda maintains ISO 27001-aligned ISMS artifacts such as scope, risk register, risk treatment plan, Statement of Applicability, secure development standards, vendor inventory, incident response, and management-review templates. Accredited certification is a future external audit step.

Controls in place

How the app is structured for safer operation.

These are customer-safe summaries of the controls Provcreda uses. We intentionally avoid publishing implementation details that would help an attacker target private infrastructure or sensitive workflows.

Role and tenant scoped access

Employee, client, provider, and admin surfaces use authenticated routes, backend authorization checks, least-privilege role design, and organization-scoped portal access.

MFA and secure sessions

The app supports unique user accounts, hashed passwords, MFA enrollment and verification flows, protected session checks, timeout expectations, and separate portal entry points.

Audit logging and evidence

Security-relevant workflow events, exports, document activity, admin actions, BAA work, and compliance audit runs are designed to be traceable without placing raw PHI in logs.

Encryption and private storage design

Production architecture is designed for HTTPS/TLS, encrypted databases, private document storage, managed secrets, encrypted backups, and AWS HIPAA-eligible services after AWS evidence is verified.

Vendor and BAA workflow

Vendor inventories, BAA tracking, client/provider group BAA procedures, subcontractor review, and PHI boundary documentation are maintained before sensitive workflows are enabled.

Secure SDLC and monitoring

Repository safety checks, dependency audits, compliance audits, route-boundary checks, network audits, release gates, and change-management records support ongoing review.

Current evidence snapshot.

We maintain proof internally and summarize customer-safe results publicly. Live AWS infrastructure verification requires an authenticated AWS evidence pass and remains separated from public marketing copy.

Repository safety

Passed

Secret/local-file safety scan passed on July 9, 2026.

Dependency audit

Passed

Production dependency audit reported 0 high vulnerabilities on July 9, 2026.

Compliance audit

Warning

28 passed, 4 warnings, 0 failures; AWS/live proof items remain open until authenticated evidence is captured.

Live public network audit

Passed

Protected unauthenticated endpoints returned expected 401/403 responses; no failed endpoint checks.

Proof boundaries

Transparent without publishing the playbook.

Customers should understand what protections exist. Attackers should not receive a map of private infrastructure, security tooling, identity rules, or incident response steps.

We do not publish raw infrastructure diagrams that disclose private network details, IAM policy internals, secret names, vulnerable findings, or operational playbooks.

We do not accept PHI, ePHI, Social Security numbers, dates of birth, credentialing passwords, payor passwords, claims data, or sensitive documents through public forms.

Detailed evidence packets can be reviewed through an approved due-diligence or contractual process with appropriate confidentiality boundaries.

HIPAA, SOC 2, and ISO 27001 readiness depend on deployed configuration, signed agreements, workforce behavior, vendor posture, operating evidence, and periodic review.