Sign Up
Login
Try for Free
Login
BastionGPT was designed from day one for healthcare. HIPAA-compliant, BAA included, independently tested, and continuously assessed by a team of healthcare security veterans.
We invest in security the way the regulated industries we serve expect: continuously, independently, and on a published cadence. Here's what that looks like in practice.
BastionGPT is built and operated by a team that has spent decades inside healthcare. Our CEO previously led technology and security for one of the largest medical centers in the country, and that experience shapes every decision we make. We treat HIPAA compliance, encryption (in transit and at rest), role-based access, and audit logging as defaults, not enterprise upsells. Every customer is entered into a signed Business Associate Agreement on every paid plan, and your data is never used to train any underlying AI model.
Most companies treat third-party risk assessments as a regulatory tax. We treat them as one of the most valuable signals we get. BastionGPT engages outside security firms on a recurring basis to evaluate our environment against the HIPAA Security Rule, the HHS recognized security practices, and broader cyber frameworks like NIST CSF and NIST 800-53. The findings get tracked, prioritized, and remediated in the same systems our engineers ship product changes through, so security work compounds instead of getting filed away.
BastionGPT is independently penetration tested at least annually by a third-party offensive-security firm, with additional targeted tests around major platform changes. Tests cover the web application, API surface, authentication and tenant isolation, and the AI inference pipeline itself, including prompt-injection and data-exfiltration scenarios specific to LLM applications. We also run static and dynamic code analysis on every change, and our codebase is reviewed by senior engineers before anything reaches production.
We follow a data minimization model. BastionGPT collects only what's necessary to provide the service, segregates customer data by tenant, and encrypts it both in transit (TLS 1.2+) and at rest (AES-256). Customer prompts and outputs are not retained for model training, and data residency for protected health information sits within hardened, BAA-covered infrastructure.
BastionGPT has been in market for three years and serves more than 10,000 healthcare organizations. In that time we have had zero reportable breaches of protected health information. Every security event, no matter how minor, is logged and reviewed; material findings are disclosed to affected customers under our incident response policy and the timelines required by the HIPAA Breach Notification Rule.
Our BAA template, third-party penetration test summary, HIPAA Security Rule mapping, infrastructure attestations from our SOC 2 and HITRUST-certified infrastructure providers, sub-processor list, and architecture overview all live in one continuously-updated trust center, available under NDA when an enterprise security review needs it.
The questions enterprise security, privacy, and procurement teams ask us most often.
Yes, BastionGPT is engineered to support the requirements of both HIPAA and 42 CFR Part 2 for the handling of sensitive health information.
Yes, all of our plans automatically incorporate a BAA. You can review our BAA and related terms here. Where preferred, BAA's can be routed via Docusign for no additional cost.
For most customers, the standard BastionGPT BAA executed automatically during your electronic acceptance of Terms at the start of a trial covers all users in that organization, including additional users added later. For multi-entity organizations (e.g., a parent organization with several legal subsidiaries), we generally recommend executing a separate BAA per legal entity. Our support team can help you scope this if you would like assistance. HIPAA BAA can be routed for mutual signature via DocuSign by request.
Yes, sensitive data such as recordings and transcripts are encrypted using industry standard security measures such as TLS 1.2+) for data in transit and AES-256 for data at rest. Please note there are manual options to copy or download data to plaintext formats such as .mp4 and .txt files.
Data entered into BastionGPT is never sold or used for training AI models. BastionGPT makes no claim to any data that you provide. This is contractually guaranteed in our privacy policy and terms.
Users have the ability to enter PHI into the system, where it will be transmitted and stored appropriately in line with HIPAA requirements.
BastionGPT provides the option to immediately delete specific items or all data at once. Data is maintained for up to 30 days in our secure audit vault to support required auditing, such as monitoring for illegal or prohibited system use.
Yes, our Enterprise plans support the use of your organization's existing Single Sign-On (SSO) and authentication platform. All other plans support email-based MFA with adaptive authentication.
Yes, customers with a USA billing address will store and process sensitive data within the USA. Sensitive data from customers with billing addresses in Canada or Australia will default to residing in their respective country.
Audit logs are maintained and monitored internally by our security team and can be requested ad-hoc as needed by the customer. Frequent audit log requests may incur administrative fees. Customers utilizing the Enterprise plans have access to automated data feeds if desired.
Yes, BastionGPT routinely performs internal and external (3rd party) penetration tests to validate our systems security.
BastionGPT exclusively operates on HITRUST CSF Certified and SOC 2 Type II attested infrastructure for all services processing, storing, or transmitting sensitive or confidential customer data, including all data submitted through the BastionGPT API and user interface. Our infrastructure providers maintain current certifications with annual audits.
Additionally, BastionGPT is pursuing its own HITRUST CSF Certification and SOC 2 Type II attestation. We are currently undergoing readiness activities, with no significant technical gaps observed to date. In the interim, we maintain comprehensive security controls aligned with HITRUST CSF and HIPAA requirements.
Yes, we maintain a documented incident response plan that is regularly reviewed and tested in accordance with industry best practices and compliance requirements.
30 minutes with our cybersecurity advisor. We'll walk through how BastionGPT protects your patient data and answer any questions specific to your practice.
Schedule a call →BastionGPT's security posture is signed off by leaders who have spent their careers running security and compliance programs at the largest health systems in the country.
"BastionGPT was built using the same playbook I used to protect patient data at a major academic medical center. Defense in depth, recognized security practices, and an honest paper trail. We don't ship a control we can't evidence."
"During my testing process, I was impressed by the robustness and resilience of this application. BastionGPT is one of the most secure platforms I have tested."
