Missed us at Medicarians?July early access
Legal

Security

Effective May 5, 2026

Security is foundational to the Medicare Intelligence OS. We process compliance-critical data — call content, commission records, beneficiary interactions, and carrier intelligence — and we operate under HIPAA-aware infrastructure with controls aligned to industry frameworks. This page summarizes our current posture; customer-facing audit reports and questionnaires are available under NDA.

Notice

This page is informational and reflects current practice. It is not legal advice. For binding terms applicable to a specific engagement, refer to your signed agreement with Artificial Bridge LLC. Material changes will be posted here with a new effective date.

01Architecture and data protection

  • ·TLS 1.2+ enforced for all client and server-to-server communication.
  • ·AES-256 (or equivalent) encryption at rest for primary stores, backups, and object storage.
  • ·Tenant isolation by logical separation in shared infrastructure, with carrier and FMO tenants supported by dedicated logical environments where required.
  • ·Secrets management via a hardened vault with rotation and audit.
  • ·Production data is not used in non-production environments.

02Access controls

  • ·Role-based access control (RBAC) with least-privilege defaults.
  • ·SSO and SAML 2.0 supported for FMO and carrier tiers; SCIM provisioning available.
  • ·MFA required for all employee access to production systems.
  • ·Just-in-time elevation and audit logging for privileged actions.
  • ·Quarterly access reviews and automatic revocation on role change or termination.

03Application security

  • ·Secure SDLC including code review, dependency scanning, and SAST in CI.
  • ·Pre-deploy automated tests for authentication, authorization, and tenancy.
  • ·Customer-data redaction for AI prompts where feasible; PHI is processed under the applicable BAA.
  • ·Rate limiting, anomaly detection, and abuse mitigation at the edge.

04Vulnerability management

  • ·Continuous dependency monitoring and patch SLAs aligned to severity.
  • ·Annual third-party penetration testing; report summaries available under NDA.
  • ·Internal red-team exercises against compliance and AI-misuse scenarios.
  • ·Coordinated vulnerability disclosure: report findings to security@theartificialbridge.com — we will acknowledge within two business days.

05Monitoring and incident response

  • ·Centralized logging with immutable retention for security-relevant events.
  • ·SIEM-style detection on authentication, authorization, and data-access anomalies.
  • ·Documented incident-response plan with on-call rotation and severity tiers.
  • ·Customer notification timelines defined contractually; HIPAA Breach notifications consistent with 45 CFR § 164.410.

06Business continuity

  • ·Geographically redundant infrastructure for primary services.
  • ·Documented backup strategy with regular restoration testing.
  • ·RTO and RPO targets defined per service; details available to enterprise customers on request.

07Compliance posture and roadmap

  • ·HIPAA-aware infrastructure and BAA available for carrier and FMO tiers.
  • ·SOC 2 Type II — engagement in progress; report distribution under NDA on completion.
  • ·Alignment to NIST 800-53 (moderate baseline) and NIST AI RMF for AI-specific risk.
  • ·CMS Digital Health Technical Assistance and ONC/FHIR alignment on the BRIDGEt App Library pathway.

08Procurement and due-diligence kit

Carrier and FMO procurement teams can request a due-diligence package under NDA. The kit is assembled from the same evidence the platform generates continuously, so it reflects current posture rather than a point-in-time snapshot.

  • ·SOC 2 report — Type I and bridge letter now; Type II on completion of the engagement in progress.
  • ·HIPAA security risk assessment summary and BAA template v2.
  • ·Penetration test executive summary with current remediation status.
  • ·Architecture and data-flow diagrams annotated with PHI trust boundaries.
  • ·Hash-chained audit log sample mapped to SOC 2 CC4.1 and CC7.2 controls.
  • ·Subprocessor list and completed CAIQ / SIG-Lite security questionnaire.

09AI safety and integrity

  • ·Model outputs are gated by guardrails for CTM, AHIP, and CMS Marketing Guideline categories where applicable.
  • ·Training data is sourced under permitted-use rights; PHI is segmented and processed only under BAA terms.
  • ·Outputs are logged with model and prompt metadata to support audit and contestability.
  • ·Customers may opt out of using their content for model improvement at the tenant level.

10Subprocessors

We use a limited set of vetted subprocessors for cloud infrastructure, model serving, observability, communications, and payments. A current list and notification of material changes are available to customers on request and as required by data-protection terms.

11Reporting a security issue

Please email security@theartificialbridge.com with reproduction steps, impact, and any supporting artifacts. We accept reports in good faith and will not pursue action against researchers acting in compliance with this disclosure policy.

Security & vulnerability disclosure

security@theartificialbridge.com

Artificial Bridge LLC · Anna, Texas

Privacy Policy·Terms of Use·HIPAA Notice·Security