Data protection

Security at PathwAI

PathwAI is built for health and wellness programs that collect sensitive patient data. This page summarizes our infrastructure posture, data-handling practices, and the information your IT or security team needs to complete a vendor review. If you need more, we're happy to answer a questionnaire or get on a call.

Book a security review call HIPAA overview Subprocessors

Infrastructure and hosting

PathwAI runs on Cloudflare's global edge network and Workers platform. Cloudflare provides DDoS protection and WAF policies at the network layer. Application data is stored on Amazon Web Services (hosting, compute, and storage) and MongoDB Atlas (the primary data store for configuration, profiles, and definitions). Patient-facing flows are served from edge locations closest to the user, minimizing latency and reducing the attack surface of exposed origin servers.

Edge hosting

Deployed on Cloudflare Pages and Workers. No traditional origin server to patch, expose, or harden independently.

DDoS and WAF

Cloudflare's network-layer DDoS mitigation and Web Application Firewall protect all endpoints by default.

Availability

The Cloudflare network has a published SLA of 99.99% uptime. Enterprise customers can access PathwAI's own uptime reporting.

Data handling and encryption

Encryption in transit

All data between patients and PathwAI is encrypted in transit using TLS 1.2+. This includes the intake flow itself, API calls from the builder, and webhook deliveries to your downstream systems.

Encryption at rest

Data stored in PathwAI's infrastructure (response records, workspace configuration) is encrypted at rest using AES-256 or equivalent managed by the underlying cloud provider.

Data minimization

Only fields explicitly configured in your builder are collected. There is no ambient telemetry on patient responses beyond what you configure for your analytics.

Retention and deletion

Data retention periods are defined in your agreement. On cancellation or request, we export and securely delete patient data according to your BAA or data processing agreement.

Access controls

Access to your workspace and patient data is limited to users you explicitly invite. PathwAI enforces role-based access patterns within workspaces, and all administrative access to production systems by PathwAI staff follows least-privilege principles.

Workspace access

Your workspace is isolated from others. Invited users see only the data and flows in your workspace.

SSO / SAML (Enterprise)

Enterprise customers can enforce SSO with your existing identity provider (Okta, Azure AD, Google Workspace) so access is governed by your IAM policies.

PathwAI staff access

Access to production data by PathwAI team members is restricted, audited, and limited to what is necessary to operate the service. No employee has standing access to patient-submitted responses.

Incident response

PathwAI maintains a documented incident response procedure. In the event of a security incident that may involve PHI or sensitive patient data, we follow a defined process for detection, containment, notification, and post-incident review.

Detection and triage

Monitoring alerts on anomalous activity at the infrastructure and application layer. Incidents are triaged against a severity classification and assigned an owner within defined SLAs.

Notification obligations

For Enterprise BAA customers, PathwAI will notify you of a security incident involving PHI within the timeframes defined in the BAA—which align with HIPAA's Breach Notification Rule requirements.

Post-incident review

Every severity-1 incident triggers a post-mortem that feeds into control improvements. Customers can request a summary of findings.

Escalation contact

Security reports and urgent issues go to [email protected], monitored by the engineering and ops team.

Vendor review and questionnaires

We understand that evaluating a health-data vendor involves real legal and IT review. We have been through this process with regulated health operators and are set up to support it efficiently.

What we can provide

Completed security questionnaires (CAIQ, SIG, or custom formats)
Architecture and data flow walkthrough with your IT team
Subprocessor list with purpose, location, and website (see subprocessors page)
HIPAA alignment summary and BAA (Enterprise)
Penetration test summary on request (Enterprise)
Data Processing Agreement for GDPR or applicable state privacy law

Book a review call Email [email protected]

Security FAQ

Where is patient data hosted?

PathwAI's application and data layer runs on Cloudflare's global infrastructure, with data centers primarily in the US. Enterprise customers can discuss region preferences during onboarding.

Has PathwAI undergone a penetration test?

PathwAI conducts periodic security assessments. Enterprise customers may request a summary of recent findings. We do not publish full reports publicly, but we share relevant sections with customers under NDA.

Is PathwAI SOC 2 certified?

SOC 2 Type II is on our roadmap. We are not certified today, but we support compliance reviews by providing the equivalent documentation (questionnaire responses, architecture summaries, subprocessor list, and security policy summaries). For health-program operators, the most relevant certification is HIPAA alignment—which we do document.

What third parties have access to patient data?

A defined set of subprocessors receive data to deliver the service—cloud hosting, payment processing, and analytics infrastructure. We maintain sub-processor agreements with all of them and publish the list on our subprocessors page.

How are vulnerabilities in dependencies managed?

We monitor our dependency tree for known CVEs and maintain a patching cadence for critical and high severity findings. Our edge deployment model limits direct exposure of application servers to the public internet.

Can we run PathwAI in our own cloud account?

PathwAI is a hosted SaaS product. Bring-your-own-cloud deployment is not offered at this time. For teams with strict data residency requirements, contact us to discuss what Enterprise can accommodate.

Have a questionnaire or security review?

Send it to [email protected] or book a call and we will respond promptly with complete documentation.

Book a review call HIPAA overview Subprocessors