TRUST CENTER · SECURITY & COMPLIANCE

Built for hospital security review.

ARKA ships with the controls, documentation, and evidence trail your CISO will ask about — adopted now, before our first byte of PHI, not retrofitted after. Synthetic-data demo. Encryption everywhere. A 21-document compliance package ready for diligence.

HIPAA program in force
SOC 2 Type I/II in progress
HITRUST e1 roadmap

Download Data Security Overview (PDF)Request diligence package

We describe our posture exactly as it is: HIPAA program in force; SOC 2 and HITRUST e1 in progress on a published timeline. No certification claims before the certificate exists.

Compliance at a glance

Four frameworks, one program. Statuses below are kept deliberately exact — they update the day an artifact is issued, and never before.

HIPAA — Privacy, Security & Breach Notification Rules

Program in force

Full privacy and security policy suite adopted and operating; business associate agreement ready for execution; annual NIST 800-30 risk analysis complete.

What this means

HIPAA has no government certification. Compliance is demonstrated through adopted policies, implemented safeguards, and a six-year evidence trail — all maintained under ARKA's Information Security & Compliance Program Charter and available for diligence review.

ARKA-GOV-001 · ARKA-PRIV series · ARKA-SEC series

SOC 2 — Security, Availability, Confidentiality

In progress

Readiness assessment complete against the 2017 Trust Services Criteria (2022 points of focus). Type I examination targeted December 2026; Type II report mid-2027.

What this means

ARKA does not claim SOC 2 attestation before the auditor's report is issued. On issuance, the report will be available to customers and prospects under NDA.

ARKA-RDY-002

HITRUST e1 — Essentials, 1-Year Validated

Roadmap active

44-requirement e1 tier selected as the appropriate entry certification; MyCSF self-assessment Q1 2027, validated assessment H1 2027. ~80–90% control overlap with the SOC 2 program lets one evidence body serve both.

What this means

ARKA is not HITRUST certified and will not use the phrase or the seal until the validated assessment is issued.

ARKA-RDY-003

2025 HIPAA Security Rule NPRM

Adopted as baseline

The December 2024 OCR proposal's heightened specifications are ARKA's internal baseline today: mandatory MFA, universal encryption, asset inventory and network map, six-month vulnerability scans, annual penetration testing, segmentation, 72-hour restore capability.

What this means

Designing to the proposed rule now means no scramble when it is finalized — and answers the question hospital CISOs are already asking vendors.

ARKA-SEC-001 § 5 · ARKA-SEC-007

The controls behind the claims

Every pillar below maps to an adopted policy with a document number — not a slide. Auditors get the policy; you get the summary.

Encryption everywhere

AES-256 at rest across databases, object storage, and backups
TLS 1.2+ in transit (1.3 preferred), HSTS on all public endpoints
Keys in managed KMS; rotation and custody documented; no plaintext ePHI anywhere

Access control

MFA on all production, code, and data systems; FIDO2 hardware keys for admins
Role-based least privilege from a documented access matrix; quarterly reviews
24-hour deprovisioning; break-glass access alarmed, logged, and reviewed

Audit & monitoring

Append-only audit trail: record-level access, admin actions, deployments
Security logs retained 6 years; alerting on anomalous access and exports
Weekly security review; monthly sampled access-log review

Resilience

Immutable cross-region backups: 35-day point-in-time + 12-month archives
Quarterly restore tests; annual full recovery exercise
72-hour restoration standard for critical systems; 15-minute RPO on the data tier

Vendor & subcontractor risk

Tiered vendor register; BAAs executed with every PHI-touching subprocessor
Annual attestation review (SOC 2 / ISO 27001) mapped to shared-responsibility matrix
NIST 800-88 return/destruction on offboarding

Secure development

Protected branches; CI gates: type checks, compliance tests, dependency audit, secret scanning
No production data in dev, test, or demo — synthetic fixtures enforced by CI guards
Independent penetration test annually; criticals fixed in 10 days

0
PHI records in the demo environment — 100% synthetic data: 0
controlled documents in the compliance package: 6 yr
security-evidence retention (45 C.F.R. § 164.316): ≤ 10 bd
customer breach notice under our BAA: 72 h
critical-system restore standard: 0%
of workforce trained before production access

Where we are on the road to certification

Published timeline, no vague 'coming soon': these are the same dates in our board-approved roadmap (ARKA-RDY-004).

Q2 2026
Policy suite adopted
21-document HIPAA/SOC 2/HITRUST program in force; initial NIST 800-30 risk analysis complete
Q3 2026
Hardening & evidence accrual
FIDO2 rollout, cloud-posture scanning, cyber insurance, audit-firm engagement
Q4 2026
Pen test + SOC 2 Type I
First independent penetration test; Type I examination as of December 2026
Q4 2026 – Q2 2027
Type II observation window
≥ 3 months of operating evidence; first design-partner BAAs executed
H1 2027
SOC 2 Type II report · HITRUST e1
Type II report issued; e1 validated assessment submitted for certification

Compliance package coverage

21 controlled documents by series

Compliance package coverage by document series
Series	Document count
Security	12
Readiness	4
Privacy	2
Governance	1
Contracts	1
Demo	1

Index: ARKA-IDX-000 · Package shared under NDA — see Documents below.

The documentation, itemized

Hospital security questionnaires go faster when the answers are already written down. Every document below is version-controlled, officer-approved, and available under NDA.

Data Security Overview (PDF)

One-page summary — no NDA needed.

Download

Compliance & Regulatory Dossier (PDF)

FDA posture, regulatory timeline, and program overview.

Download

Governance

ARKA-GOV-001Information Security & Compliance Program Charter

Privacy

ARKA-PRIV-001HIPAA Privacy Policy
ARKA-PRIV-002De-Identification & Limited Data Set Policy

Contracts

ARKA-LGL-001Business Associate Agreement (Template)

Security

ARKA-SEC-001Information Security Policy
ARKA-SEC-002Risk Analysis & Risk Management
ARKA-SEC-003Access Control & Identity Management
ARKA-SEC-004Encryption & Key Management
ARKA-SEC-005Audit Logging & Monitoring
ARKA-SEC-006Incident Response & Breach Notification
ARKA-SEC-007Contingency Plan (Backup, DR & Emergency Mode)
ARKA-SEC-008Workforce Training & Sanctions
ARKA-SEC-009Vendor & Subcontractor Risk Management
ARKA-SEC-010Secure SDLC & Change Management
ARKA-SEC-011Data Classification, Retention & Disposal
ARKA-SEC-012Acceptable Use, Workstation & Mobile Device

Readiness

ARKA-RDY-001HIPAA Security Risk Assessment Report (2026)
ARKA-RDY-002SOC 2 Readiness & Gap Assessment
ARKA-RDY-003HITRUST e1 Readiness Roadmap
ARKA-RDY-004Compliance Roadmap & Certification Timeline

Demo

ARKA-DEMO-001Demo Environment Synthetic Data Policy & No-PHI Attestation

Running vendor security review?

Request the full package and a completed security questionnaire seed. Typical turnaround: 2 business days.

Request full package

Zero PHI in the demo — by design, verified quarterly

Every patient, scenario, and record in the ARKA demonstration environment is synthetic. Seed records carry an [ARKA-DEMO] marker, fixtures come from our synthetic-data generator, CI guards block production data sources from demo code paths, and the officer-signed attestation (ARKA-DEMO-001) is re-verified every quarter. If you spot anything that looks real, tell us: security@getarka.health — it isn't, but we treat reports as incidents anyway.

Last verification: June 10, 2026

Straight answers

The questions clinicians, CISOs, and investors actually ask — answered the way we answer them in diligence.

Looking for our FDA regulatory posture (Non-Device CDS analysis, Pre-Sub package)? That lives in the Trust Center →

Loading…

Built for hospital security review.

HIPAA program in force

SOC 2 Type I/II in progress

HITRUST e1 roadmap

We describe our posture exactly as it is: HIPAA program in force; SOC 2 and HITRUST e1 in progress on a published timeline. No certification claims before the certificate exists.

Compliance package coverage by document series
Series	Document count
Security	12
Readiness	4
Privacy	2
Governance	1
Contracts	1
Demo	1

Compliance package coverage by document series

Series

Document count

Security

Readiness

Privacy

Governance

Contracts

Demo

Zero PHI in the demo — by design, verified quarterly

Last verification: June 10, 2026