Sanova

Security & Compliance • BAA • SSO/SAML • RBAC • Audit logs • Data residency

Enterprise-grade protections for regulated healthcare workloads.

Sanova is designed for HIPAA-covered entities with layered defenses, robust identity controls, auditable activity, and regional data residency options.

Talk to our security teamExplore controls

Defense-in-depth controls

Layered protections from identity to runtime — designed to pass security review.

Identity & Access
  • SSO/SAML (Okta, Azure AD, custom IdP)
  • Granular RBAC with least-privilege defaults
  • SCIM user lifecycle (provision/deprovision)
  • MFA enforcement & session policies
Auditability
  • Immutable audit logs for admin & clinical actions
  • Config change history with before/after diff
  • Export to SIEM (Splunk, Datadog) via webhook
  • Tamper-evident log signing & retention
Encryption
  • TLS 1.2+ in transit with HSTS
  • AES-256 at rest with key rotation
  • Customer-managed keys (CMK) option
  • Field-level tokenization for sensitive identifiers
Data Residency
  • Regional hosting: US • EU • UK • CA
  • PHI stays in-region; egress controls
  • Backups isolated per region & encrypted
  • Data processing addenda for subprocessors
Runtime & Network
  • Private VPC, security groups, WAF & DDoS protection
  • Zero-trust service mesh & mTLS
  • Image signing, SBOMs & vulnerability scans
  • Readonly containers for stateless services
Content Safety
  • PII/PHI detectors in ingestion + redaction options
  • Prompt/response guardrails for AI features
  • Upload AV scanning & type enforcement
  • Granular file sharing controls

Certifications & attestations

Evidence packages available under NDA. Ask for our security exhibit during contracting.

HI
HIPAA Readiness
AvailableBAA
BAA available; HIPAA-aligned controls & processes.
HT
HITRUST (prioritized)
In progressHealthcare
Harmonized healthcare control baseline.
RBACSSO/SAMLSCIMAudit LogsCMK (BYOK)Regional Data ResidencyEncrypted Backups

Regional data residency

Choose where PHI lives and is processed. Egress controls prevent cross-region movement unless you explicitly allow it.

Available regions: United States, European Union, United Kingdom, Canada. Backups are per-region, encrypted and isolated. Disaster recovery is tested regularly.
  • • Logical separation per tenant + per environment
  • • Customer-managed keys option (BYOK/CMK)
  • • Access approvals & break-glass workflows
  • • Data processing addenda for subprocessors
Regional map (US • EU • UK • CA)

Audit trails that stand up to scrutiny

Who did what, when, where
Every admin and clinical action is captured with actor, timestamp, target, IP, user-agent and correlation IDs.
Tamper-evident & exportable
Logs are append-only with signing. Stream to your SIEM or archive to cold storage.
Config diffs & approvals
Track environment changes with approver, change request and before/after diffs.

Security & compliance FAQ

Yes. We provide a BAA and security exhibit as part of contracting. Evidence packages are available under NDA.

Ready for a security deep-dive?

We’ll walk through controls, evidence, and regional deployment options tailored to your environment.

Talk to our teamRead the security docs