HIPAA Compliance
Effective date: June 6, 2026 · Last updated: June 6, 2026
Health Insurance Portability and Accountability Act (45 CFR Parts 160 and 164)
⚠ Important: This page describes Vaultix-ID's HIPAA capabilities. A signed Business Associate Agreement (BAA) is required before using Vaultix-ID in any application that processes Protected Health Information (PHI). BAAs are available on Business and Enterprise plans only. Contact legal@smritix-ai.com to initiate.
Vaultix-ID, provided by Smritix AI LLP, can be configured to support HIPAA-compliant authentication workflows for applications that process Protected Health Information (PHI). This page describes our approach, the safeguards we have in place, and the responsibilities of covered entities and business associates using our platform.
1. Understanding Our Role
Is Smritix AI LLP a Covered Entity?
No. Smritix AI LLP is not a covered entity under HIPAA. We are a technology service provider that may act as a Business Associate when our Services are used by covered entities or their business associates to process PHI.
When Does HIPAA Apply to Vaultix-ID?
HIPAA applies to your use of Vaultix-ID if:
- Your organisation is a covered entity (healthcare provider, health plan, or healthcare clearinghouse) or a business associate
- You use Vaultix-ID to authenticate users of an application that creates, receives, maintains, or transmits PHI
- PHI is included in user metadata, authentication payloads, or audit logs processed through Vaultix-ID
Note: Authentication identifiers (email, user ID, session token) are not PHI by themselves. PHI only becomes involved when linked with health information.
2. Business Associate Agreement (BAA)
A signed BAA is a HIPAA requirement before any PHI may flow through a business associate's systems. Our BAA:
- Defines the permitted uses and disclosures of PHI by Smritix AI LLP
- Requires us to implement appropriate safeguards to protect PHI
- Requires us to report breaches of unsecured PHI within 60 days of discovery
- Requires us to ensure any sub-processors (Supabase, Vercel, Resend) agree to equivalent PHI protections
- Requires us to return or destroy PHI upon termination of the agreement
BAA availability by plan:
- Hobby / Pro: No BAA available. Do not use for PHI.
- Business: Standard BAA available. Contact us to execute.
- Enterprise: Custom BAA with negotiated terms available.
To request a BAA, email legal@smritix-ai.com with your organisation name and plan details.
3. Technical Safeguards (§164.312)
Vaultix-ID implements the following HIPAA Technical Safeguards:
- ✓Unique user identification — every session is tied to a single user ID
- ✓Role-based access control (RBAC) via organisation memberships
- ✓Automatic session expiry — sessions expire after a configurable period (default 30 days)
- ✓Emergency access revocation — sessions can be immediately invalidated via the dashboard or DELETE /v1/session
- ✓Audit logs record all authentication events with user ID, timestamp, IP, and outcome
- ✓All auth events (sign-in, sign-out, MFA, OAuth, token exchange) are logged to the auth_events table
- ✓Logs include: user ID, application ID, IP address, country, method, outcome, timestamp
- ✓Webhook delivery history with HTTP status codes and timestamps
- ✓Log retention configurable on Enterprise plans; default 90 days
- ✓Sessions validated using RS256-signed JWTs — tokens are cryptographically verified on every request
- ✓JWT expiry enforced server-side via database row check — replay of expired tokens is rejected
- ✓Webhook payloads signed with HMAC-SHA256 to ensure integrity of event notifications
- ✓Handshake tokens are designed to be single-use (see roadmap for jti-based replay prevention)
- ✓All data in transit encrypted with TLS 1.2 or higher
- ✓HSTS enforced on all Vaultix-ID endpoints
- ✓Session cookie attributes: HttpOnly, Secure, SameSite=None — cannot be intercepted via JavaScript
- ✓API keys transmitted only via HTTPS and stored server-side in encrypted environment variables
4. Physical Safeguards (§164.310)
Physical safeguards are the responsibility of our infrastructure providers:
- Vercel: SOC 2 Type II certified. Data centres with physical access controls, surveillance, and environmental controls. vercel.com/security ↗
- Supabase: Hosted on AWS infrastructure with SOC 2 Type II and ISO 27001 certifications. supabase.com/security ↗
5. Administrative Safeguards (§164.308)
- Security officer: Smritix AI LLP has designated a security point of contact at security@smritix-ai.com
- Risk analysis: We conduct periodic risk assessments of the Vaultix-ID infrastructure
- Workforce controls: Access to production systems is limited to authorised personnel only
- Incident procedures: Documented incident response and breach notification procedures are in place
- Contingency plan: Database backups managed by Supabase with point-in-time recovery
6. Breach Notification (§164.410)
In the event of a breach of unsecured PHI involving Vaultix-ID, Smritix AI LLP will:
- Notify you (the covered entity or business associate) without unreasonable delay and within 60 calendar days of discovery
- Provide the identity of individuals whose PHI was involved (if known), the type of PHI involved, how the breach occurred, and mitigation steps taken
- Cooperate fully with your breach notification obligations to HHS and affected individuals
To report a suspected breach or security issue: security@smritix-ai.com
7. Your Responsibilities as a Covered Entity or BA
⚠ Important: Signing a BAA with Smritix AI LLP does not make your application HIPAA-compliant by itself. You remain responsible for ensuring your application implements appropriate safeguards for any PHI it processes.
As an operator using Vaultix-ID in a HIPAA context, you are responsible for:
- Executing a BAA with Smritix AI LLP before processing PHI
- Ensuring your application's handling of PHI complies with HIPAA Security and Privacy Rules
- Not including PHI in authentication tokens, user metadata fields, or webhook payloads unless your BAA explicitly permits it
- Configuring appropriate session expiry, MFA requirements, and access controls for healthcare users
- Training your workforce on HIPAA requirements
- Executing BAAs with all your own vendors and sub-processors
8. Recommended Configuration for HIPAA Workloads
- Enable TOTP MFA for all healthcare application users — adds a required second factor
- Set session expiry to 8 hours or less for clinical environments
- Enable audit log export (Enterprise) and feed logs to your SIEM
- Use private metadata (server-only) for any PHI-adjacent user attributes — never public metadata
- Configure webhook delivery to your audit logging endpoint for all auth events
- Implement IP allowlisting at your application level for administrative users
9. Contact
For HIPAA enquiries, BAA requests, or to report a security incident:
- Legal / BAA: legal@smritix-ai.com
- Security incidents: security@smritix-ai.com
- Company: Smritix AI LLP, India