Security posture.

Architecture principles

• Read-only by default. We surface from systems of record; we don't write back unless explicitly contracted.
• Least privilege. Every integration uses the minimum scope required to surface relevant context.
• Audit logging from day one. Every read is logged with actor, timestamp, scope, and justification.
• Encryption. TLS 1.2+ in transit. AES-256 at rest. Per-tenant key isolation where required.

Per-product compliance

MD · Clinical

• HIPAA-aligned. BAA available with signed contract.
• SOC 2 Type I in progress (target: 2026 Q3).
• Per-EHR vendor security review supported.

BIZ · Business

• SOC 2 Type I in progress.
• SSO/SAML support roadmapped for v1.
• GDPR-aligned for EU customers.

EDU · Education

• FERPA-aligned architecture.
• COPPA-aware for K-12 deployments.
• State-by-state data privacy compliance (e.g. California AB 1584, New York Ed Law 2-d).

Reporting vulnerabilities

If you've found a security issue, email security@handoffwiz.com. We acknowledge within two business days. Coordinated disclosure preferred.

Contact

Security questions and vendor reviews: security@handoffwiz.com.