Security & Compliance

Behavioral health doesn't get a privacy do-over.

Skillique protects PHI and SUD records the way the regulations actually require — not the way it's convenient to.

HIPAA-aware

Encryption at rest and in transit, BAAs with every subprocessor, and access controls modeled on the Privacy & Security rules.

42 CFR Part 2

SUD records receive heightened consent management, segmented access, and explicit re-disclosure tracking.

Role-based access

Granular RBAC with attribute conditions: clinicians see only their caseload by default; supervisors see their team; owners see everything.

Audit trails

Every read, write, sign, and disclose is logged with actor, timestamp, IP, and reason. Exportable for any audit.

SSO & MFA

SAML and OIDC SSO via Okta or Microsoft Entra. MFA enforced for all production access. SCIM provisioning supported.

US data residency

PHI stored exclusively in US-East and US-West regions. No cross-border transfer. Backups are encrypted and region-pinned.

Compliance posture

SOC 2 Type I

Achieved Q4 2025

SOC 2 Type II

In progress · audit Q3 2026

HITRUST CSF

Roadmap 2027

Penetration tests

Annual + on-demand

Vulnerability scans

Weekly · auto-remediated

Encryption

AES-256 at rest, TLS 1.3 in transit

Subprocessors

Who touches the data.

Skillique uses a short list of US-region subprocessors. We sign BAAs with everyone that could see PHI and publish material changes 30 days in advance.

Vendor	Purpose	Region	BAA
Amazon Web Services	Compute, storage, RDS (us-east-1, us-west-2)	United States	Signed
Supabase	Managed Postgres + auth	United States	Signed
Cloudflare	CDN, WAF, DDoS protection	Global edge · US data plane	Signed
Sentry	Error monitoring (scrubbed)	United States	Signed
Resend	Transactional email (no PHI in body)	United States	Signed
Stripe	Billing for Skillique (not patient billing)	United States	N/A — no PHI

Responsible disclosure

Found a vulnerability? Email security@skillique.health with reproduction steps. We acknowledge within 1 business day, triage within 5, and publicly credit reporters (with permission) once the fix ships.

Please don't run automated scans against production, exfiltrate data, or impact other customers — we'll work with you in good faith.

Security one-pager

A concise overview of controls, certifications, and architecture — for your security review committee. Most teams complete review in under 10 days.

View one-pager Request full packet

Need our security packet?

We share BAAs, SOC 2 reports, pen test summaries, and architecture diagrams under NDA. Most security reviews close in under 10 days.

Request the packet Visit the Trust Center