Security & Compliance

Behavioral health doesn't get a privacy do-over.

Skillique protects PHI and SUD records the way the regulations actually require — not the way it's convenient to.

HIPAA-aware

Encryption at rest and in transit, BAAs with every subprocessor, and access controls modeled on the Privacy & Security rules.

SUD records receive heightened consent management, segmented access, and explicit re-disclosure tracking.

Granular RBAC with attribute conditions: clinicians see only their caseload by default; supervisors see their team; owners see everything.

Every read, write, sign, and disclose is logged with actor, timestamp, IP, and reason. Exportable for any audit.

SAML and OIDC SSO via Okta or Microsoft Entra. MFA enforced for all production access. SCIM provisioning supported.

PHI stored exclusively in US-East and US-West regions. No cross-border transfer. Backups are encrypted and region-pinned.

Compliance posture

SOC 2 Type I

Achieved Q4 2025

SOC 2 Type II

In progress · audit Q3 2026

HITRUST CSF

Roadmap 2027

Penetration tests

Annual + on-demand

Vulnerability scans

Weekly · auto-remediated

Encryption

AES-256 at rest, TLS 1.3 in transit

We share BAAs, SOC 2 reports, pen test summaries, and architecture diagrams under NDA. Most security reviews close in under 10 days.