Notive

Security

Security is foundational, not an afterthought.

Notive implements defense-in-depth across every layer — network, application, data, and access control. Your patients' data gets the same standard of care you give your patients.

Isolated by design.

Notive is a multi-tenant platform with strict organization-level data isolation. Every database query is enforced through row-level security scoped to your organization — your data is never visible to other tenants, at any layer.

Multi-AZ deployment with offsite WAL archiving ensures durability and fast recovery. Encryption at rest and in transit protects data at every layer.

AI processing runs via BAA-covered API providers. All third-party services handling PHI operate under Business Associate Agreements.

Defense-in-Depth Architecture

1
Edge — CDN, WAF, DDoS protection
2
Ingress — TLS termination, HSTS, IP allowlists
3
Service Mesh — Mutual TLS, identity verification
4
Application — JWT auth, RBAC, rate limiting, CSP
5
Data — AES-256, encrypted backups, soft deletes

Security controls by layer.

Each layer independently enforces security controls, so a failure in one does not compromise the system.

Network Security

  • Private subnets for all data-plane services
  • TLS 1.2+ enforced on all connections
  • Mutual TLS (mTLS) for all internal service-to-service traffic
  • Webhook endpoints protected by IP allowlists and signature verification
  • WAF and edge security at the CDN layer

Authentication

  • Argon2id password hashing with auto-upgrade
  • Short-lived JWT access tokens (30 minutes)
  • Multi-factor authentication: TOTP, WebAuthn/passkeys, email OTP, SMS OTP
  • Brute-force protection with rate limiting on login and MFA
  • Password change invalidates all outstanding sessions

Authorization

  • 48 granular permissions across 4 role tiers (Staff, Clinician, Admin, Owner)
  • Organization-scoped row-level security — every query enforced at the database layer
  • Clinical safety gates: only providers can sign encounters or prescribe
  • Patient portal uses a separate auth flow with own-data-only access
  • Quarterly privileged access reviews

Audit & Monitoring

  • Comprehensive audit logging of all access to protected health information
  • Immutable audit trail with user, action, entity, IP, and timestamp
  • 7-year retention (exceeds HIPAA 6-year requirement)
  • Automated hot-to-cold archival: database (90 days) to encrypted object storage
  • Security event monitoring and alerting

Data Protection

  • Encryption at rest: AES-256 for all stored data and objects
  • Encryption in transit: TLS 1.2+ for all external and internal traffic
  • MFA secrets and sensitive credentials encrypted with Fernet (symmetric)
  • Soft deletes for all clinical data — nothing is hard-deleted
  • Automated backup with point-in-time recovery and encrypted off-site replication

Application Security

  • Content Security Policy (CSP) enforced on all responses
  • HTTP Strict Transport Security (HSTS) with long max-age
  • Input validation on all endpoints via typed schemas
  • Malware scanning (ClamAV) on all uploaded documents
  • Regular DAST scanning with remediation tracking
  • MIME type detection and file type allowlisting on uploads

Compliance

Built for regulated healthcare.

HIPAA Security Rule

Full implementation of administrative, physical, and technical safeguards as defined by the HIPAA Security Rule (45 CFR Part 164).

Business Associate Agreement

BAA available for all covered entities on paid plans. All third-party vendors handling PHI operate under executed BAAs.

EPCS Compliance

Electronic Prescribing for Controlled Substances meets DEA requirements with identity proofing, two-factor authentication, and Drummond Group audits.

PHI Hygiene

Protected health information is redacted from application logs, masked in monitoring, and excluded from error reporting. Audio recordings follow configurable retention policies with automated cleanup.

Responsible disclosure.

If you discover a security vulnerability in Notive, we want to hear about it. Please report vulnerabilities to security@notivehealth.com. We commit to acknowledging receipt within 24 hours and providing an initial assessment within 72 hours.

We ask that you give us reasonable time to address the issue before public disclosure. We will not take legal action against researchers who follow responsible disclosure practices.

Questions about security or compliance?

We're happy to walk through our security architecture, provide our BAA, or answer specific compliance questions.

Contact Us