Plain answers for security, IT, and compliance teams. base9health is built to PDPA standards (Singapore and Malaysia), aligned with regional MOH guidelines, and ready to support HIPAA for hospitals that need it. Verifiable answers, not just our word for them.
A short version of what's in our trust package.
Built to Singapore PDPA and Malaysia PDPA standards, with the Advisory Guidelines for the Healthcare Sector applied throughout. HIPAA support available for hospitals serving U.S. or international patients. Data Protection Agreement signed before any production data touches the platform.
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Single-tenant deployments support customer-managed keys.
SSO via your existing identity provider (Okta, Microsoft Entra, Ping). SCIM for automated provisioning. MFA enforced for all internal access.
PHI stays in the region your contract specifies. No data leaves that region without a contractual amendment.
Every user action is logged with timestamp, user, and reason. Logs are exportable to your security or audit team's existing tools.
For the security teams who want the line-by-line.
TLS 1.2+ in transit. AES-256 at rest. Envelope encryption per tenant. Customer-managed keys available for single-tenant deployments where required by contract.
SAML 2.0 and OIDC for SSO. SCIM 2.0 for automated provisioning. MFA enforced for all internal access. No shared credentials. Hardware-key-backed admin path.
Role-based access, with attribute-based scoping at the row level. Production access is just-in-time, peer-approved, time-bound, and recorded.
PHI is stored in the region specified by your contract. Cross-region replication is opt-in only and never includes PHI without an explicit amendment.
Continuous monitoring, regular third-party penetration testing, and a published remediation policy. Findings are tracked openly with prospects under MNDA.
Background checks for everyone with production access. Annual security and data-protection training (PDPA, HIPAA where relevant). Engineering on-call carries a security pager.
Public sub-processor list with advance notice on changes. Contractual flow-down of PDPA and HIPAA controls where applicable.
24/7 on-call. Customer notification within contractual SLA, tracked from a public status page. Post-incident reviews shared with affected customers.
We'll send back our security policy (PDPA + HIPAA where applicable), the most recent third-party pen-test summary, our sub-processor list, our DPA / BAA templates, and our trust portal credentials. Most teams get what they need within two business days under MNDA.
