SECURITY REFERENCE DOCUMENTATION
How Rectangle Health protects your data
Learn about every security control, compliance framework, and operational practice across the Rectangle Health platform.
Credentials and certifications
Jump to: HIPAA + PCI | Compliance | Data | Access | Monitoring | Infrastructure | People | Vendors
HIPAA + PCI: dual compliance for healthcare payments
Healthcare organizations accepting card payments face dual exposure — PCI violations for card data and HIPAA violations for PHI. Rectangle Health is designed from the ground up to satisfy both simultaneously.
-
PCI DSS
Payment Card Industry Data Security Standard
Status: Level 1 SAQBridge Payments is validated to PCI DSS standards as part of our P2PE solution. Cardholder data environments are scoped, isolated, and assessed by a Qualified Security Assessor (QSA).
Payment card data is tokenized at capture — raw PANs are never stored in Rectangle Health systems. We support practices in their own PCI compliance journey through SAQ guidance and scope reduction strategies.
-
HIPAA
Health Insurance Portability and Accountability Act
Status: CompliantRectangle Health maintains HIPAA compliance across the Privacy Rule, Security Rule, and Breach Notification Rule.
We draw on more than 30 years of healthcare payments experience to responsibly protect HIPAA-regulated data, and we maintain controls aligned with all applicable PHI safeguard requirements. We offer a Business Associate Agreement (BAA) to all covered entity customers.
Our HIPAA program is actively monitored using automated compliance tooling and reviewed on a regular cadence.
Further reading: How to choose a payment partner that protects both card and patient data
Additional compliance frameworks
-
HITRUST CSF — Common Security Framework
Status: CertifiedHITRUST certification provides a unified framework covering HIPAA, NIST CSF, ISO 27001, and other standards. Our certification demonstrates enterprise-grade information security controls that extend well beyond individual regulatory requirements.
Request certificate › -
SOC 2 Type II
Status: AttestedIndependent third-party attestation of our security, availability, and confidentiality controls over a 12-month observation period. Report available to customers and prospects under NDA.
Request report (NDA required) ›
Security controls
DATA SECURITY AND ENCRYPTION
-
Encryption at rest
AES-256 bit symmetric encryption. All PHI and cardholder data encrypted at rest across production environments.
-
Data isolation
Tenant data is logically isolated. Production environments are strictly separated from development and staging, with anonymized data in non-production environments.
ACCESS CONTROLS AND IDENTITY
-
MFA enforced
Multi-factor authentication is required on all internal systems and customer-facing portals without exception.
-
Session management
Configurable session timeouts. Forced re-authentication on sensitive actions. Concurrent session controls enforced.
MONITORING, DETECTION, AND INCIDENT RESPONSE
-
24/7 SIEM monitoring
Real-time log aggregation and anomaly detection across all production systems. Alerts route to an on-call security team around the clock.
-
Annual penetration testing
Independent third-party penetration testing of the external attack surface, internal systems, and APIs. Findings drive remediation priorities.
PEOPLE, TRAINING, AND SECURE DEVELOPMENT
-
HIPAA security training
All required employees complete HIPAA security training annually, consistent with regulatory and industry expectations.
-
Secure development (SDLC)
Software development follows established security standards including secure coding practices, controlled access, routine vulnerability testing, and logging to reduce risk.
INFRASTRUCTURE AND AVAILABILITY
-
Physical infrastructure
Rectangle Health hosts its platform on Amazon Web Services (AWS), which operates its underlying infrastructure under industry-leading security certifications including SOC, PCI DSS Level 1, and ISO. These certifications cover AWS's physical facilities and are inherited through the shared responsibility model.
-
Redundant architecture
Multi-availability-zone deployment on AWS. No single points of failure in the production environment.
Vendor and subprocessor management
-
Rectangle Health maintains a formal Third-Party Risk Management (TPRM) program to identify, assess, and manage security risks posed by vendors that support our systems or access data.
-
All vendors with access to PHI or payment data are required to execute a BAA and/or DPA prior to onboarding, and are assessed against our security standards on an ongoing basis.
-
Our business continuity program explicitly accounts for third-party disruption scenarios, with defined contingency procedures and customer communication protocols.
Policies
-
Privacy
Rectangle Health's Privacy Policy describes how we collect, store, use, and share voluntarily provided personal information. Rectangle Health does not use or disclose personal information other than as permitted in our Privacy Policy and applicable agreements with customers.
-
Responsible disclosure
If you've identified a potential security vulnerability in Rectangle Health's products or infrastructure, we encourage responsible disclosure. Our security team responds within 48 hours.
Security and compliance resources
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
-
Blog
How to choose a payment partner that protects both card and patient data
-
Blog
HIPAA compliance: Don't let false security become a million-dollar mistake
-
Press
Rectangle Health Reaffirms Robust Security Framework through PCI DSS Attestation of Compliance Renewal
-
Blog
Navigating HIPAA compliance in small dental practices