Security & Compliance

The Commure Platform was designed from the ground up with security and privacy as the primary requirement. Security is more than just a feature or a checkbox, it's a requirement for responsible healthcare innovation.

The goal is to go beyond the minimums set by regulations or custom, and to meaningfully reduce security risks to healthcare applications.

Basics Features

Data Encryption

All data are encrypted at rest and in flight, using either AES 256+ bit ciphers or TLS 1.2+. The secrets are managed separately from the data and any access to production infrastructure is subject to strict limits and full administrative controls.

Audit Logs

Any PHI data access via Commure APIs generates detailed audit log events (in FHIR AuditEvent format) that clearly specify when, who and what. All access to underlying infrastructure, failed connections and other events is also logged. If desired, the logs can also be sent to security alerting and privacy management systems. Please ask about available integrations.


The Commure Platform has received independent validation of HIPAA and other regulatory requirements. If needed, we will supply official documentation. Complying with HIPAA, other government regulations, and a particular healthcare system's policies is both the law and the right thing to do. Commure aims to make it easier for small, early stage teams to achieve compliance with legal as well as health system requirements.

SSO (Single Sign-On) Integration

All user logins can be authenticated against existing single-sign-on systems using SAML, OpenID or OAuth protocols. This ensures that any corporate-wide password policies, provisioning or deprovisioning processes or other needs are seamlessly echoed by both the Commure Platform and any applications hosted on it.

Advanced Features

Fine-grained Authorization

Data access can be controlled using fine-grained policies based on the user, the application, the data, the context and the action. The policies themselves are separate from application code, based on open standards, fully audit-able and under customer control.

BAAs and other legal agreements

Sometimes it is necessary to execute BAAs (business associate agreements) with both upstream and downstream providers of PHI (protected health information) or cloud computing services. The Commure Platform simplifies meeting these compliance requirements. If you have questions about already-executed BAAs or need to execute a BAA with Commure for your application, please contact us.