Master DB
Tenant directory + Postgres-server inventory + master-data catalogs. No PHI.
Capability · Trust
Security, built in.
HITRUST-ready as of 2026-05-20. Security and compliance posture is built into the platform, not bolted on. The controls a HITRUST auditor would expect — identity, access, cryptography, audit, BCDR — they're already here, with evidence.
< 30s
Revoke propagation across instances
30s LRU revoke cache; bound by the cache TTL, not by deploy cycles
RTO ≤ 1h
Recovery time objective
RPO ≤ 5 min; DR-by-flag posture in centralus
35d
Postgres backup retention (prod)
GRS storage; 14d staging; 7d dev
OWASP 2.1
WAF rule set
DefaultRuleSet 2.1 + Bot Manager 1.0; 1000 req/min/IP rate limit
Multi-factor authentication
Native TOTP + WebAuthn — phishing-resistant when policy demands it.
Both platform operators and tenant users authenticate via the same engine: password + factor + (optional) step-up. WebAuthn counter-regression detection catches credential-clone attacks; the platform-side enrolment cache expires aggressively.
TOTP follows RFC 6238 with a 30-second skew window. Recovery codes are 10 single-use codes, bcrypt-hashed at cost 12, deleted on use.
WebAuthn uses the FIDO MDS3 metadata service to gate which authenticator models are trusted. A credential whose signature counter regresses below the stored value triggers a security event — a clone-attack indicator.
Step-up MFA applies to sensitive operations
(impersonation, federation key management). The
mfaVerifiedAt freshness window is 300 seconds by
default; outside the window the user re-asserts their factor.
Rendering diagram…
Federated SSO
Standards-based federation — RFC 7519 JWT, RFC 7517 JWK.
EMR / EHR partners register themselves via the federated SSO trust registry. Per-partner signing keys follow a staged → active → superseded → revoked lifecycle. Revoke propagates across every running rcm-core instance in under 30 seconds via the LRU revoke cache.
Rendering diagram…
Tenant isolation
Physical, not logical.
No row-level security. One PostgreSQL database per customer, connection strings sealed in Key Vault, never persisted in the master DB. The isolation surface is architectural — not enforced by application code that could regress.
Tenant DB (per customer)
Members, charges, claims, remittances, ledger, rules, audit. PHI lives here.
Key Vault
Sealed tenant connection strings + DEKs. Read at API edge only; never logged.
Security and compliance posture is built into the platform, not bolted on.
BCDR
Disaster recovery is a flag, not a project.
The DR posture is dormant by default and armed by configuration. Passive region in centralus costs about $1.1K/month when armed and zero when not — but the wiring is in place so the flag-flip is a configuration change, not an engineering effort.
RPO ≤ 5 min
Recovery point objective. Postgres ZR-HA + RAGZRS storage carry the last few minutes of transactions.
RTO ≤ 1h
Recovery time objective. The DR drill is dated 2026-04-26 with a current runbook.
PHI DEK rotation
Quarterly key rotation. Next rotation window: 2026-07-01 at 02:00 UTC.
Front Door TLS ≥ 1.2
WAF + Bot Manager + rate limit gate every endpoint. /api/* limited to 1000 req/min per IP.
Keep going