Security and Compliance

UNMIRI is pre-pilot and pre-revenue. The compliance plumbing is in place. Both major cloud providers are BAA-covered: the AWS Business Associate Addendum is in effect for our dedicated AWS production account, and the Microsoft Online Services HIPAA BAA covers our Azure usage. Azure OpenAI network access is locked to UNMIRI's AWS NAT egress IP. Full subprocessor list with effective dates lives on the subprocessors page.

We do not yet claim a SOC 2 audit. SOC 2 Type 1 readiness assessment is targeted for Q4 2026 with audit kickoff in Q1 2027, contingent on the first design-partner agreement. We do not publish dates we can't hit.

The following principles guide our infrastructure and security work. They describe how we plan to build, not what is operating in production today.

• HIPAA-eligible cloud services on any path that may carry Protected Health Information.
• End-to-end encryption in transit and at rest, using vendor-managed keys with rotation.
• Role-based access controls with least-privilege defaults and multi-factor authentication on production accounts.
• Audit logging on sensitive operations, with immutable storage and retention aligned to clinical recordkeeping expectations.
• Regular security review of code, dependencies, and infrastructure, including dependency scanning and periodic third-party testing.
• Vendor risk management for every subprocessor that handles sensitive data, including BAA review, data-flow mapping, and ongoing oversight.
• Federated architecture for real-world evidence: a longer-horizon roadmap item, not a near-term capability. The design keeps aggregate statistics inside customer environments so PHI does not centralize at UNMIRI for RWE production. See the roadmap for sequencing.
• De-identified-only LLM prompts: variant data is normalized to remove patient identifiers before any external inference API call.

The current subprocessor list is published on the subprocessors page. Active BAAs will be confirmed and disclosed there as they are signed. Until a BAA is signed and verified for a given vendor, that vendor will not be listed as an active PHI processing partner.

One BAA covers the entire PHI path. The PHI control plane runs in a single AWS account in us-east-1 under the AWS BAA. That account holds RDS Postgres (structured clinical data, audit logs), S3 with SSE-KMS (encrypted document storage), AWS KMS (key management), AWS Textract (PDF extraction), AWS Lambda + API Gateway + Step Functions (compute), Cognito (authentication), Amplify Hosting (app surface at app.unmiri.com), and CloudWatch Logs (audit trail). The app surface holds no database driver: every read and write routes through api.unmiri.com, the VPC-attached API that is the only path to RDS, so Postgres stays fully private.

Microsoft Azure covers narrow LLM inferenceunder the Microsoft Online Services HIPAA BAA. Azure OpenAI handles the Tier-4 vision LLM (extraction edge cases on PDF pages that fail Tier-1/2/3 deterministic parsing) and an LLM-judge step. Final clinical surfaces are rendered from deterministic templates, not LLM prose. Azure OpenAI network access is firewall-locked to UNMIRI's AWS NAT egress IP; inputs are de-identified variant context only, no PHI identifiers in prompts.

Vercel hosts the marketing site only and is deliberately out of BAA scope. The marketing site at unmiri.com takes no file uploads, has no authenticated routes, and never connects to RDS or any data store containing PHI. Marketing forms collect business inquiries (name, email, company, role) and route via Resend email — never PHI, by convention. If marketing requirements ever change to include PHI handling, the route moves to app.unmiri.com(AWS) rather than expanding Vercel's BAA scope. This is an architectural decision, not a temporary state.

SOC 2 Type 1 readiness assessment is targeted for Q4 2026, with audit kickoff in Q1 2027 contingent on the first design-partner agreement. HITRUST is on the following window depending on customer requirements. Specific dates land here once controls, evidence collection, and audit relationships are in place. We don't publish dates we can't hit.

For compliance questions, vendor due-diligence requests, or to ask about the status of any item on this page, email security@unmiri.com. We respond to compliance inquiries directly rather than through a portal.