Security, privacy & compliance
PeptIQ handles sensitive health and protocol data across our mobile app, web app, and provider console. We built our platform with security and privacy as foundational requirements — not afterthoughts.
Our compliance posture
We align engineering, product, and operational practices with frameworks clinics and enterprises expect when evaluating health-adjacent software.
HIPAA-aligned practices
We design products and workflows around PHI minimization, consent-aware sharing, and safeguards expected under HIPAA and the HITECH Act — especially for clinic and provider workflows.
SOC 2-aligned controls
Our engineering and operations follow security control categories common to SOC 2 (security, availability, confidentiality) — including access management, monitoring, and change discipline.
Privacy by design
Users control what they log. Provider views are consent-scoped. We collect only what features require and document how data flows across the mobile app, web app, and provider console.
PeptIQ's security and privacy practices are aligned with the HIPAA and SOC 2 frameworks. This reflects our security standards and engineering practices and is not a claim of formal certification, attestation, or completed third-party audit unless explicitly stated in a signed agreement.
How we protect your data
Technical and organizational controls designed for health data, clinic workflows, and everyday users.
Encryption in transit & at rest
Data is protected with TLS in transit. Stored data uses industry-standard encryption at rest through our cloud infrastructure providers.
Role-based access & least privilege
Staff permissions in the provider console are scoped by role. Internal access to production systems follows need-to-know principles.
Patient consent & scoped sharing
Clinic staff see patient protocol and adherence data only when the patient has accepted an invite and granted the relevant consent scopes.
Audit logging
Sensitive actions in provider workflows — such as access to patient records and staff changes — are logged to support accountability and review.
Backups & recovery
Production data is backed up on a regular schedule with retention policies designed to support recovery from accidental loss or infrastructure failure.
Secure infrastructure
We run on modern cloud infrastructure with network isolation, patched runtimes, and secrets managed outside application code.
Monitoring & alerting
Operational monitoring, error tracking, and alerting help us detect anomalies and respond to incidents quickly.
Change management
Code changes go through review before production. Database migrations and infrastructure updates follow controlled deployment practices.
Documentation
Request security documentation
Clinics, partners, and procurement teams can request our security package. We typically share materials under mutual NDA for qualified organizations evaluating PeptIQ for clinical or enterprise use.
Or email us directly at [email protected]. Include your organization name and the documents you need.
Security overview
High-level summary of architecture, data flows, and control areas.
HIPAA / BAA package
Business Associate Agreement templates and PHI handling summary for covered entities and clinics.
SOC 2 control narrative
Control mapping and policy summaries aligned to SOC 2 trust service criteria.
Subprocessor list
Third-party vendors that may process data on our behalf, with purpose and region notes.
A self-service documentation portal is coming soon. Until then, our team will respond to requests within two business days.
Our commitment
Security is ongoing work. We review access regularly, patch dependencies, improve monitoring, and refine consent flows as our product grows. If you discover a vulnerability or have a security question, contact [email protected].
PeptIQ is for educational and operational support purposes. It is not a substitute for an electronic medical record system or licensed medical advice. See our disclaimers for details.