Security - BastionGPT

Healthcare security is complicated.

BastionGPT makes it easy.

Our Approach

Our team culture and operations are centered around maintaining customer trust, which is our utmost priority. We uphold this commitment by incorporating cybersecurity as the core of all our operations, employing a defense-in-depth strategy and aligning to NIST standards. We adhere to best-in-class security practices, which ensure all handling of chat history and customer data is processed, stored and treated in alignment with HIPAA regulations.

Risk Assessment and Vulnerability Scans

To protect your data from evolving cybersecurity threats, we conduct internal risk assessments. These assessments are performed regularly, and include trusted 3rd party review of code for security flaws after every major code modification. Our services maintain an A+ rating with SecurityScorecard.

Penetration Tests and Code Reviews

To ensure the highest level of security, we perform regular 3rd party penetration tests. These tests are designed to detect potential vulnerabilities and enable us to strengthen our defense measures. We also conduct static code reviews during every code deployment to further scrutinize our codebase for any potential threats or vulnerabilities that might go undetected in a dynamic analysis.

Data Access and Control

Information submitted to BastionGPT is limited to only trained individuals with a need to know, and always according to the principles of least privilege. Chat history is stored within the BastionGPT secure cloud and is deleted after 30 days. It is only accessed when needed to uncover abuse or resolve a technical problem.

To ensure the security of your information, the BastionGPT team does not provide 3^rd party access to sensitive customer information, such as any PHI or PII, apart from Microsoft. BastionGPT has the requisite HIPAA BAA and security assurances in place with Microsoft to ensure your information remains secure.

Chat history is not provided to OpenAI, and is not used to develop future models of ChatGPT.

Security History

Our company takes pride in our intense focus on cybersecurity and has not fallen victim to any breaches of security. Our steadfast commitment to rigorous security protocols and preventative measures has proven to be effective in safeguarding our systems and data.

Trust and Compliance Portal

For information about our Trust and Compliance program, you can view our portal at https://fortatech-security.trustshare.com/home

Security & Compliance FAQs

Is the system HIPAA- and 42 CFR Part 2–compliant?

‍Yes, BastionGPT is engineered to support the requirements of both HIPAA and 42 CFR Part 2 for the handling of sensitive health information.

Will the vendor sign a Business Associate Agreement (BAA)?

‍Yes, all of our plans automatically incorporate a BAA. You can review our BAA and related terms here. Where preferred, BAA's can be routed via Docusign for no additional cost.

Are all recordings and transcripts encrypted?

‍Yes, sensitive data such as recordings and transcripts are encrypted using industry standard security measures such as TLS 1.2+) for data in transit and AES-256 for data at rest. Please note there are manual options to copy or download data to plaintext formats such as .mp4 and .txt files.

Is my data used for AI training?

Data entered into BastionGPT is never sold or used for training AI models. BastionGPT makes no claim to any data that you provide.

Is it safe and compliant to enter Protected Health Information (PHI)?

‍Users have the ability to enter PHI into the system, where it will be transmitted and stored appropriately in line with HIPAA requirements.

Can data be deleted immediately after use?

‍BastionGPT provides the option to immediately delete specific items or all data at once. Data is maintained for up to 30 days in our secure audit vault to support required auditing, such as monitoring for illegal or prohibited system use. Custom data retention schedules will be releasing in early 2026.

Does it support MFA and role-based access?

‍Yes, our Enterprise plans support the use of your organization's existing Single Sign-On (SSO) and authentication platform. All other plans support email-based MFA with adaptive authentication.

Is data stored on U.S.-based servers?

‍Yes, customers with a USA billing address will store and process sensitive data within the USA. Sensitive data from customers with billing addresses in Canada or Australia will reside in their respective country.

Are audit logs available for all access and actions?

‍Audit logs are maintained and monitored internally by our security team and can be requested ad-hoc as needed by the customer. Frequent audit log requests may incur administrative fees. Customers utilizing the Enterprise plans have access to automated data feeds if desired.

Has the system undergone a recent SOC 2 Type II or penetration test?

‍Yes, BastionGPT routinely performs internal and external (3rd party) penetration tests to validate our systems security.

BastionGPT exclusively operates on HITRUST CSF Certified and SOC 2 Type II attested infrastructure for all services processing, storing, or transmitting sensitive or confidential customer data, including all data submitted through the BastionGPT API and user interface. Our infrastructure providers maintain current certifications with annual audits.

Additionally, BastionGPT is pursuing its own HITRUST CSF Certification and SOC 2 Type II attestation. We are currently undergoing readiness activities, with no significant technical gaps observed to date. In the interim, we maintain comprehensive security controls aligned with HITRUST CSF and HIPAA requirements.

Is there a documented incident response plan?

‍Yes, we maintain a documented incident response plan that is regularly reviewed and tested in accordance with industry best practices and compliance requirements.

Trust BastionGPT

Review our confidential security whitepaper and architecture with a cybersecurity expert.

Schedule a Meeting

meet BastionGPT

Built with Security as our Priority