Product · Security

Security isn't
a feature —
it's the
foundation

Overlay was designed from day one for healthcare's strictest compliance requirements. Every architectural decision starts with protecting patient data.

Book a security review Request documentation
HIPAA Compliant
AES-256 Encryption
Full Audit Logging
SOC 2 (In Progress)
Zero-Trust Architecture

Core Security

Four layers of protection

Encryption at rest and in transit

All data stored within Overlay is encrypted with AES-256. All data in transit uses TLS 1.3. Encryption keys are rotated automatically on a 90-day cycle and managed via a dedicated key management service.

  • AES-256-GCM for data at rest
  • TLS 1.3 enforced for all connections
  • 90-day automatic key rotation
  • KMS-managed key hierarchy

Identity & access management

Every user, system, and API call is authenticated before any data is accessible. Overlay enforces role-based access control at the field level, with short-lived session tokens and mandatory MFA for all administrative accounts.

  • Role-based access control (RBAC)
  • OAuth 2.0 and SMART on FHIR
  • MFA required for admin roles
  • Session tokens expire after 60 minutes of inactivity

Immutable audit logging

Every action — data requests, approvals, denials, access events, and configuration changes — is written to an append-only, tamper-evident audit log. Logs are retained for seven years by default to meet HIPAA record-keeping requirements.

  • Append-only, tamper-evident logs
  • 7-year retention as standard
  • Real-time alerting on anomalous access
  • Exportable for your own SIEM

Zero-trust network architecture

Overlay operates on a zero-trust model: no implicit trust is granted to any system, user, or network segment. Every request is verified, authorized, and logged regardless of its origin — even internal service calls.

  • Mutual TLS between all internal services
  • Network micro-segmentation
  • No persistent inbound firewall rules
  • All traffic inspected and logged

Compliance

Built for healthcare's regulatory environment

Overlay's compliance posture is built into the product, not bolted on afterward. Our controls are designed to meet HIPAA's technical, administrative, and physical safeguard requirements.

Minimum necessary standard

Scoped access permissions enforce HIPAA's requirement that only the minimum necessary data is accessed for each request.

Business Associate Agreement (BAA)

Overlay executes a BAA with every customer before any PHI flows through the system. Available on all plans.

Breach notification readiness

Automated alerting and incident response runbooks ensure you can meet HIPAA's 60-day breach notification requirement.

Annual penetration testing

Overlay undergoes independent penetration testing annually. Results are available to enterprise customers under NDA.

Certifications & status

HIPAA
Active
SOC 2 Type II
In progress
BAA Available
All plans
Pen Test
Annual
Infrastructure

Designed to stay up when healthcare can't afford downtime

99.9%

Uptime SLA

99.9% uptime guaranteed on all production environments. Status and incident history available at our public status page.

Multi-AZ

Redundant deployment

All services are deployed across multiple availability zones. No single data center failure can take Overlay offline.

US-only

Data residency

All PHI processed and stored by Overlay remains within US data centers. We do not transfer patient data internationally.

Questions about our security posture?

We're happy to share our security documentation, walk through our architecture, or discuss your specific compliance requirements.

Request documentation Book a security call