Soro operates under signed Business Associate Agreements with every vendor that touches health data. No agreement, no access. That rule has no exceptions.
The agreement comes before the integration, every time.
Lock 02 · Encryption
Encrypted in transit and at rest
Data moves over TLS and rests under AES-256, backups included. There is no unencrypted path in and no unencrypted copy inside.
TLS on every connection. AES-256 on every stored byte.
Lock 03 · Secure intake
One door in, straight to storage
Billing files upload through an encrypted channel that lands them directly in secured storage. They are never emailed and never handled as loose files.
One encrypted door in. No attachments, no loose copies.
Lock 04 · Access controls
Least privilege, fully logged
People see only what their work requires, behind individual authenticated logins. Every access to health data is logged: who, what, when.
Access is scoped to the job and every read is on the record.
Lock 05 · Infrastructure
An isolated home on HIPAA-eligible cloud
Client data lives on HIPAA-eligible cloud infrastructure, inside an isolated network environment. Nothing sits on laptops or portable media.
Logging and monitoring run continuously. Unusual access gets flagged and reviewed the moment it appears, not discovered later.
Unusual access is flagged the moment it appears.
The short version
Security by the numbers
0bit AES encryptionOn every stored byte, backups included
0of vendors under signed BAAsBefore any health data moves
0logging and monitoringNo off hours, no blind spots
0files outside secured storageNever emailed, never loose
Follow one file
What happens to a claim file at Soro
From the moment it leaves your system to the moment someone reads it, a file is never unprotected and never unaccounted for.
Upload
The file leaves your system through an encrypted link. Nothing travels by email.
In transit
TLS wraps it the whole way. No readable copy exists en route.
At rest
It lands in secured storage and rests under AES-256, isolated from the open internet.
On the record
Every open and every read is logged with a name and a time. Nothing happens quietly.
The rules we run on
Always and never
We always
Sign the agreement before any data moves
Encrypt every byte, in transit and at rest
Scope access to exactly what the job requires
Watch the logs around the clock
We never
Email claim files or handle them as loose attachments
Store client data on laptops or portable media
Give a vendor access before a BAA is signed
Let an access to health data go unlogged
Questions
Ask us directly
If your security or compliance team wants to go deeper, we are glad to walk through it. Reach us through the contact page and you will get a direct answer.