Security & Compliance
HIPAA-compliant infrastructure, encryption, access controls, and audit trails.
🔒 HIPAA Compliant
Taliswitch is fully HIPAA-compliant with technical, administrative, and physical safeguards. We sign Business Associate Agreements (BAAs) with all customers.
HIPAA Compliance
Technical Safeguards
- TLS 1.3 encryption in transit
- AES-256 encryption at rest
- Two-factor authentication (2FA)
- Automatic session timeouts
- IP allowlisting available
Administrative Safeguards
- BAA with all customers
- Security training for all staff
- Incident response plan
- Regular risk assessments
- Vendor management program
Physical Safeguards
- SOC 2 Type II certified data centers
- 24/7 physical security
- Biometric access controls
- Video surveillance
- Disaster recovery procedures
Audit Controls
- Complete audit logs for all PHI access
- User activity tracking
- Login/logout tracking
- Export audit reports
- Retention: 7 years minimum
Data Encryption
In Transit
All data transmitted between users and Taliswitch servers uses TLS 1.3 encryption:
- Web Application: HTTPS only (HTTP redirects to HTTPS)
- Mobile Apps: Certificate pinning for extra security
- API Calls: TLS 1.3 required for all endpoints
- Integrations: Secure connections to partner systems
At Rest
All PHI stored in Taliswitch databases is encrypted using AES-256:
- Database Encryption: Full disk encryption + field-level encryption for sensitive fields
- File Storage: Documents encrypted individually before storage
- Backups: Encrypted backups stored in geographically separate locations
- Key Management: AWS KMS with automatic key rotation
Access Controls
Invite-Only Access
Taliswitch does not allow self-registration. All users must be invited by an organization administrator:
- Email verification required before account activation
- Two-factor authentication (2FA) enforced for all users
- Password requirements: 12+ characters, complexity rules
- Account locked after 5 failed login attempts
Role-Based Permissions
Access is controlled by user roles:
- Admin: Full access to all facilities, user management, billing
- Facility Manager: Facility-level access, user management within facility
- Nurse: Access to assigned residents only
- Med Tech: Medication-focused view for assigned residents
- Pharmacy: Access to orders and documents for connected facilities
- Read-Only: View-only access (no edits or messages)
Multi-Tenant Isolation
Every customer has a separate, isolated environment:
- Data is logically isolated per organization
- No cross-organization data access
- Separate encryption keys per organization
- Independent backup and recovery
Audit Trails
Every action in Taliswitch is logged for compliance:
What We Log
- User login/logout times and IP addresses
- PHI access (who viewed which resident records)
- Message sends and reads
- Document views and downloads
- Prescription status checks
- Configuration changes (user roles, integrations)
- Failed login attempts
Accessing Audit Logs
For Admins: Settings → Audit Logs → Export
For Compliance: Contact security@dexzyle.com for formal audit reports
Retention: Logs retained for 7 years minimum (configurable up to 10 years)
Data Residency
Taliswitch data is hosted in SOC 2 Type II certified data centers:
- Primary: AWS US-East (Virginia)
- Backup: AWS US-West (Oregon)
- International: Canada and EU hosting available for enterprise customers
- Data Transfer: PHI never leaves the United States unless explicitly configured
Disaster Recovery & Backups
Backup Schedule
- Database: Continuous replication + hourly snapshots
- Documents: Real-time replication to secondary region
- Retention: 30 days of point-in-time recovery
Recovery Time Objectives (RTO)
- Minor Incident: < 15 minutes
- Major Outage: < 4 hours
- Full Disaster: < 24 hours
Testing
Disaster recovery procedures tested quarterly. Last test: November 2025 (successful).
Security Incident Response
In the event of a security incident:
- Detection: 24/7 monitoring with automated alerts
- Containment: Immediate isolation of affected systems
- Investigation: Root cause analysis within 24 hours
- Notification: Customers notified within 72 hours if PHI is affected
- Remediation: Fixes deployed and documented
- Review: Post-mortem and process improvements
Report a Security Issue: security@dexzyle.com (monitored 24/7)
Penetration Testing & Audits
- External Pen Tests: Quarterly by third-party firms
- SOC 2 Type II: Annual audit (latest: October 2025)
- Vulnerability Scanning: Continuous automated scanning
- Dependency Updates: Critical security patches within 24 hours
Certifications & Compliance
- ✓ HIPAA Compliant (BAA available)
- ✓ SOC 2 Type II Certified
- ✓ HITRUST CSF (in progress, expected Q1 2026)
- ✓ State-specific compliance (CA, NY, TX)
Customer Responsibilities
While Taliswitch provides the secure platform, customers must:
- Ensure users complete security training
- Enforce strong password policies
- Review audit logs regularly
- Report suspicious activity immediately
- Maintain current BAA on file
- Conduct periodic access reviews (remove inactive users)
Security Contact
Questions about security or compliance?
- Email: security@dexzyle.com
- Phone: 1-800-DEXZYLE (select security option)
- BAA Requests: legal@dexzyle.com
- Security Documentation: Available in your admin portal