arro handles PHI and sensitive credentialing records. We treat that data with the controls, audits, and transparency you'd expect from healthcare infrastructure.
Every record is encrypted, access is least-privilege, and every action is logged. The controls below apply to all plans.
TLS 1.2+ in transit and AES-256 at rest. Keys managed in a dedicated KMS with regular rotation.
Role-based access controls, SSO, and enforced MFA. Staff see only the records their role requires.
Every verification, access, and data change is timestamped and immutable, exportable for your own audits.
All PHI stored and processed in US-based infrastructure. No offshore data handling.
Annual third-party penetration testing, continuous vulnerability scanning, and 24/7 infrastructure monitoring.
A documented incident response plan with defined breach notification timelines under HIPAA.
The promises behind the controls, the things we hold ourselves to in writing.
A Business Associate Agreement is available to every customer handling PHI, before any data moves.
Your provider data is yours. Export it any time, and we delete it on request per our retention policy.
We never sell or share provider data. It's used only to deliver verification and monitoring to you.
A current list of sub-processors is published and kept up to date, with notice before changes.
We'll share our security documentation under NDA as part of your evaluation.
Talk to our team →