Home Product Solutions Security Pricing Resources About Contact Request a demo
Trust center

PHI never moves before the paperwork does

Every safeguard is in place, in writing, before a single claim line is shared.

Before data moves

Always in place first

Signed BAA

Meets 45 CFR 164.314 and 164.504(e), executed before any PHI is shared.

Letter of authorization

Names Soro the plan's authorized vendor with the TPA. Nothing more.

Defined audit scope

Minimum necessary access to the data required for the audit, and nothing else.

Safeguards

Four layers, documented

Administrative

A named security officer, workforce training, role-based access, an incident response plan, and an annual review.

Technical

Multi-factor authentication, TLS 1.2 or higher in transit, AES-256 at rest, session timeouts, and audit logging.

Physical

Access-controlled cloud infrastructure only. Never portable media, and disk encryption throughout.

Organizational

A signed BAA with every subcontractor that touches PHI, plus a maintained system inventory.

Use and disclosure

Soro uses PHI for exactly one purpose: the audit. We do not sell PHI, use it for marketing, or aggregate it into other products.

Data lifecycle

Data arrives over SFTP or TLS, stays encrypted at rest, and is reported back in de-identified form. On termination, we return or destroy it with written certification.

Breach notification

If a breach of unsecured PHI occurs, we notify the plan promptly and cooperate on the required reporting.

Member privacy

Plan members are never contacted by Soro. We work with the plan and the TPA, not with patients.

Security questions go to maximus@soro.health. Privacy questions go to maximus@soro.health.