Designed with HIPAA controls in mind.
Histolyx processes DICOM studies that may contain protected health information. We take that responsibility seriously. This page covers what we actually do: data encryption at rest and in transit, access control, audit logging, and HIPAA BAA availability. We are not SOC 2 certified and we do not claim HIPAA compliance as a blanket organizational assertion — we describe our controls precisely so your compliance team can evaluate them on their merits.
Four areas we take seriously.
These are the practices your IT team and compliance officers will ask about. We have documented answers to all of them.
Data encryption at rest and in transit
All DICOM data transmitted to Histolyx is encrypted in transit via TLS 1.2+. Data stored at rest for processing uses AES-256 encryption. Studies are retained only for the duration of processing and report generation, then purged per our data retention policy. We do not retain identifiable study data beyond what is required for active analysis.
Access control
Histolyx uses role-based access control with least-privilege principles. Imaging center administrators control which users can access the Histolyx dashboard and configuration interface. API keys are scoped to specific integration endpoints. Multi-factor authentication is enforced for all Histolyx team members with infrastructure access.
Audit logging
All study access, analysis events, and report generation are logged with timestamps and user/API key attribution. Logs are available to imaging center administrators for review. Log retention period is 90 days for operational logs and 12 months for security event logs. Logs are stored separately from study data.
HIPAA BAA availability
A Business Associate Agreement (BAA) is available for all Histolyx customers. The BAA covers Histolyx's role as a business associate under HIPAA when processing PHI-containing DICOM studies. The BAA is included with Growth and Enterprise plans and available on request for Starter. Contact [email protected] to obtain the BAA.
Histolyx is designed with HIPAA Privacy Rule and Security Rule requirements in mind. We are not SOC 2 certified at this time and do not claim HIPAA certification as a standalone organizational assertion. We are an angel-stage company operating under the security controls described above. If your organization requires specific third-party audit documentation beyond what is described here, contact us to discuss.