Skip to content
Security & Trust

Security & Trust

ArrowISE is built on HIPAA-eligible infrastructure with enterprise-grade security controls. Here's exactly how we protect your data.

HIPAA-Eligible Infrastructure (AWS) SOC 2 Type I — Targeted Q3 2026 BAA Included at All Tiers

Infrastructure

ArrowISE runs exclusively on Amazon Web Services (AWS), which maintains HIPAA eligibility and provides the infrastructure foundation for our compliance program. All data is processed and stored within the AWS us-east-1 (Northern Virginia) region. We execute a Business Associate Agreement (BAA) with AWS as required under HIPAA.

Hosting Platform

AWS — HIPAA-eligible infrastructure. Amazon Web Services provides compute, storage, and database services. ArrowISE maintains a signed BAA with AWS.

Content Delivery

Vercel — Global edge network. Static assets and the ArrowISE marketing site are served via Vercel's global CDN with automatic HTTPS and DDoS protection.

Transactional Email

Resend — GDPR-compliant email delivery. Confirmation emails and system notifications are sent via Resend with DKIM authentication on getarrowise.com.

Data Protection

Encryption

Data in Transit: All data transmitted between users and ArrowISE is encrypted using TLS 1.2 or higher. HTTPS is enforced site-wide with HSTS headers.

Data at Rest: Arrangement data, FMV opinion records, and compliance documentation stored in AWS RDS are encrypted at rest using AES-256.

Access Controls

Authentication: ArrowISE uses Clerk for enterprise-grade user authentication, supporting multi-factor authentication (MFA), SSO, and role-based access controls.

Least Privilege: Each user tier (Admin, Compliance Officer, Corporate Reviewer, Viewer) has defined permissions. No user can access data beyond their role scope.

Data Residency

All ArrowISE customer data is stored and processed within the United States. ArrowISE does not transfer arrangement data, FMV records, or compliance documentation outside of US-based AWS infrastructure.

HIPAA Compliance

ArrowISE manages physician arrangement data — including physician names, NPI numbers, and compensation information — which is not Protected Health Information (PHI) under HIPAA. ArrowISE does not process, store, or transmit patient clinical data or PHI. Our HIPAA-eligible infrastructure posture reflects our commitment to healthcare-grade security standards for our customers' sensitive business data.

Business Associate Agreement: ArrowISE provides a signed BAA to all customers at all pricing tiers at no additional cost. The BAA documents each party's responsibilities for protecting data in accordance with HIPAA standards.

Note on BAA framing. Because ArrowISE manages physician arrangement metadata and compliance workflow — not patient clinical data — a Business Associate Agreement may not be strictly required under HIPAA. ArrowISE provides the BAA as a procurement courtesy to streamline customer vendor-onboarding processes. The same framing applies on the BAA template page.

Minimum Necessary: ArrowISE is designed on a minimum-necessary data principle. We collect and store only the arrangement data required to deliver compliance workflow functionality.

Certifications & Roadmap

Active

  • HTTPS / TLS 1.2+
  • HSTS Enforcement
  • DKIM / SPF / DMARC Authentication
  • BAA with AWS
  • BAA with Customers
    Available at all pricing tiers

In Progress

  • SOC 2 Type I
    Audit engagement in progress. Target completion: Q3 2026. SOC 2 Type I certification will verify that ArrowISE's security controls are suitably designed as of a point in time.
  • SOC 2 Type II
    Planned Q1 2027 following successful Type I.

On Roadmap

  • HITRUST CSF
    Healthcare-specific information risk management framework. Planned post-Series A.
  • Penetration Testing
    Annual third-party penetration test. First engagement scheduled for Q4 2026.

Subprocessors

ArrowISE uses the following third-party subprocessors to deliver our service. All subprocessors are evaluated for security posture and data handling practices.

SubprocessorPurposeLocationData Handled
VercelHosting, CDN, serverless functionsUnited StatesApplication requests, form submissions, email captures
SupabasePostgres database, authentication, storageUnited StatesArrangement data, user accounts, compliance records, session tokens
ResendTransactional emailUnited StatesEmail addresses, notification content
UpstashRedis rate limitingUnited StatesRequest metadata (no PII)
SentryError monitoring and observabilityUnited StatesApplication telemetry, error traces
StripeSubscription billingUnited StatesBilling email, payment metadata (no card data — Stripe-hosted)
AnthropicLLM API for AI-assisted compliance reviewUnited StatesArrangement metadata sent for analysis; not used to train Anthropic models

See the canonical subprocessors page for the latest authoritative list with 15-day change-notice commitments.

Incident Response

ArrowISE maintains an incident response plan that includes detection, containment, eradication, recovery, and post-incident analysis procedures.

In the event of a security incident affecting customer data, ArrowISE will:

  • — Notify affected customers within 72 hours of confirmed breach discovery
  • — Provide written incident report within 30 days
  • — Cooperate fully with customer investigations

To report a security concern: security@getarrowise.com

Security Questions

For security reviews, vendor assessments, BAA requests, or penetration test reports, contact our security team directly.

Contact Security Team Request BAA →