Regulatory-grade security for healthcare AI
Skippy is built for environments where evidence is on the line. Our security architecture meets the rigorous demands of healthcare, finance, and regulated industries.
Three frameworks. Three active deadlines.
Healthcare AI now operates under enforceable regulatory frameworks that require what most AI architectures cannot provide: a traceable evidence chain from output to source. Skippy is built to satisfy these requirements structurally.
EU AI Act (Regulation 2024/1689)
EnforcingHigh-risk obligations: August 2026
- Article 13: Technical documentation of knowledge base and how outputs are derived
- Article 17: Quality management system with audit records for every decision
- Article 14: Human oversight measures — knowledge boundary must be disclosed
- Post-market monitoring with incident reporting to national authorities
Skippy's architecture generates Article 13 and 17 documentation by construction — every output carries source lineage, confidence, and an immutable audit record. No post-processing required.
CMS Prior Authorization Rule (CMS-0057-F)
ActivePA API: January 2026 · Full compliance: January 2027
- PA denials must include a reason specific enough for the provider to understand which criterion was not met
- AI-driven PA rationale must be traceable to specific clinical criteria — publicly available and versioned
- Audit trail must reproduce the original denial rationale at appeal time
- 72-hour turnaround requirement for urgent PA decisions
Skippy Auth returns a named clinical criterion, version date, and source citation with every decision. Every response is logged to an immutable audit record anchored to a versioned evidence snapshot — reproducible at appeal.
FDA Software as a Medical Device (SaMD)
ActiveOngoing — AI/ML Action Plan
- Predetermined Change Control Plan required for knowledge updates
- CDS exemption requires clinician to independently review the evidence basis
- Algorithm Change Protocol must gate all model updates affecting safety
- Post-market monitoring with performance thresholds and incident reporting
Skippy returns the full evidence chain underlying every recommendation — enabling independent clinician review, which is the structural requirement for the CDS exemption. Change gates run automatically on every evidence update.
Cryptographically chained. 7-year retention. Tamper-evident by design.
Every API call produces an immutable audit record. Records are SHA-256 chained — any modification to a historical record invalidates every subsequent hash, detectable in a single linear scan.
{
"request_id": "UUID per API call",
"timestamp": "UTC — NTP-synced",
"query": "submitted claim or query",
"outcome": "SUPPORTED | NOT_COVERED | ...",
"confidence": 0.94,
"sources_used": ["PubMed:12345", "ClinVar:67890"],
"prev_hash": "SHA-256 of previous record",
"record_hash": "SHA-256 of this record"
}| Requirement | Framework | Implementation |
|---|---|---|
| Audit trail for all actions | FDA 21 CFR Part 11 | Every API call logged |
| Tamper detection | FDA 21 CFR Part 11 | SHA-256 hash chain |
| 7-year retention | FDA 21 CFR Part 11 | Active + compressed archive |
| Record & examine activity | HIPAA §164.312(b) | Full query + outcome + sources |
| Decision documentation | EU AI Act Art. 13 | Source lineage per output |
| Decisions replayable | EU AI Act Art. 13 | Versioned evidence snapshot |
Defense in depth, from data to deployment
Data Encryption
- AES-256 encryption at rest (all persistent data)
- TLS 1.3 encryption in transit (all API traffic)
- Key management via AWS KMS with automatic rotation
- Encrypted backups with separate key storage
Access Controls
- Role-based access control (RBAC) for all admin interfaces
- Single Sign-On (SSO) via SAML 2.0 for enterprise customers
- Multi-factor authentication (MFA) required for all users
- Audit logging of all access attempts and admin actions
- Session timeouts after 15 minutes of inactivity
Network Security
- VPC isolation for all production services
- Web Application Firewall (WAF) with OWASP Top 10 rules
- DDoS protection via Cloudflare Enterprise
- Private endpoints for all data and monitoring services
- No ports exposed to public internet (localhost only in dev)
Audit & Compliance
- Immutable audit logs (7-year retention)
- SOC 2 Type II certified
- HIPAA Business Associate Agreement (BAA) available
- GDPR-compliant data handling and deletion
- Regular third-party security assessments
What Skippy owns. What you own.
Skippy retains zero PHI after a request resolves. Audit records contain only metadata — hash, outcome, source IDs, confidence tier — enabling 7-year compliance retention without re-identification risk.
- ✓Encryption in transit (TLS 1.3) and at rest (AES-256)
- ✓API authentication and rate limiting
- ✓Audit trail integrity — SHA-256 Merkle chain, tamper-evident
- ✓7-year audit log retention on immutable storage (S3 Object Lock)
- ✓Zero PHI retention after request resolves
- ✓Verifier gate enforcement — no response issued on critical violation
- ✓PCCP gate compliance — blocks deployment on calibration failure
- ✓Incident detection, triage, and breach notification
- User authentication and identity management within your environment
- Network perimeter and access controls between your systems and the API
- Audit log access authorization (who in your org can read exports)
- API key rotation and credential management
- PHI de-identification before submitting queries (for additional assurance)
- User training and acceptable use policy enforcement
Meeting the world's toughest standards
| Framework | Status | Target Date | Details |
|---|---|---|---|
| SOC 2 Type II | Certified | Active | Comprehensive audit of security, availability, and confidentiality controls — certified. |
| HIPAA | Ready | Available Now | Full BAA available. Infrastructure configured for HIPAA-compliant deployments. |
| GDPR | Compliant | Active | Data residency options for EU customers. Right to deletion implemented. |
| Penetration Testing | Annual | Last: Q1 2026 | Third-party pen test by accredited firm. Zero critical findings. Executive summary available in security package. |
| FedRAMP | In Progress | 2027 | FedRAMP Moderate authorization in progress. FISMA Moderate architecture available now on Government plan. |
| ISO 27001 | In Progress | Q2 2027 | Information security management system certification. |
Where your data lives matters
Skippy offers data residency options to meet regional compliance requirements:
US East (Virginia)
Primary region. HIPAA-compliant infrastructure. SOC 2 Type II certified.
EU West (Ireland)
GDPR-compliant. EU data residency. Enhanced encryption controls.
On-Premises
For organizations with strict data sovereignty requirements. Full control of infrastructure.
Third-party services and their compliance posture
Skippy notifies customers 30 days before adding or changing a subprocessor. No subprocessor receives PHI — audit logs are metadata-only. All subprocessors are bound by Data Processing Agreement.
| Subprocessor | Purpose | PHI access | Certifications |
|---|---|---|---|
| Amazon Web Services (AWS) | Compute, storage, primary infrastructure | No — metadata only | SOC 2, ISO 27001, HIPAA BAA, FedRAMP High |
| AWS KMS | Encryption key management | No | FIPS 140-2, SOC 2 |
| Cloudflare Enterprise | DDoS protection, WAF, CDN | No | SOC 2 Type II, ISO 27001 |
| Datadog | Infrastructure monitoring and alerting | No — metrics and traces only | SOC 2 Type II, HIPAA BAA available |
Complete subprocessor list with DPA references available in the security documentation package. Request it →
Verify Skippy responses without trusting our servers
Every Skippy response carries a cryptographic signature. skippy-verify is an open-source Python package that performs offline verification — checking Ed25519 signatures, Merkle root integrity, key revocation, and optional transparency-log inclusion proofs. No Skippy infrastructure required.
Breach notification and incident response
Skippy maintains a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. Customers are notified before applicable regulatory deadlines.
Annual third-party pen test by accredited firm. Last engagement: Q1 2026. Zero critical findings. Executive summary available on request.
Need security documentation for your evaluation?
We'll send you our complete security whitepaper, SOC 2 progress report, and HIPAA BAA template.
Request Security Package