What security measures does Athelas implement?

Athelas takes a defense-in-depth approach to security including encryption at rest with TLS 1.2+ with perfect forward secrecy, encryption in transit using hardware security modules (HSMs) and automated key rotation, multi-factor authentication (MFA), role-based access control (RBAC), single sign-on (SSO) with enterprise identity provider integration, intrusion detection, DDoS protection with multi-layer mitigation, US-based infrastructure in HIPAA-compliant data centers, vulnerability management, and annual third-party security assessments and penetration testing.

What compliance certifications does Athelas have?

Commure, Athelas's parent company, adheres to industry-leading frameworks including SOC 2 Type II certification (audited by an independent third party), HIPAA Compliance (audited by an independent third party), and supports GDPR and CCPA international privacy regulations for data subjects' rights.

What is Athelas's uptime commitment?

Athelas maintains a 99.9% uptime target with real-time status monitoring available at status.commure.com, incident transparency through Incident.io, and disaster recovery plans tested quarterly with full backup and recovery procedures.

What are Athelas's privacy principles?

Athelas treats patient and customer data with respect and protection through principles including no data selling, purpose limitation, data ownership, transparency, minimal collection, retention limits, subprocessor oversight, and cross-border transfer protections. Data rights include access, portability, deletion, and correction.

Handshake between a doctor and another person

Your Trust.
Our Commitment.

At Athelas, we understand that trust is earned through transparency, reliability, and integrity.

Our platform powers healthcare innovation while maintaining the highest standards of security, privacy, and compliance. Athelas connects care teams, patients, and technology securely — every interaction, every time, because patient data protection isn’t optional.

Book a Demo

Security

We take a defense-in-depth approach to security at every layer of our infrastructure.

Data Protection

Encryption at rest: AES-256 encryption for all stored data
Encryption in transit: TLS 1.2+ with perfect forward secrecy
Key management: Hardware security modules (HSMs) and automated key rotation

Access & Identity

Multi-factor authentication (MFA): Required for all user accounts
Role-based access control (RBAC): Principle of least privilege across all systems
Single sign-on (SSO): Enterprise identity provider integration (Okta, Azure AD, Google Workspace)
Session management: Automatic timeout and device fingerprinting

Infrastructure Security

Intrusion detection: 24/7 automated monitoring with real-time alerting
DDoS protection: Multi-layer mitigation at edge and application layers
Data residency: US-based infrastructure in HIPAA-compliant data centers

Experience Innovation Firsthand

Vulnerability management: Automated scans and frequent patch cycles
Penetration testing: Annual third-party security assessments

Compliance

Commure, Athelas’s parent company, adheres to industry-leading frameworks for healthcare data protection.

SOC 2 Type II

Audited by an independent third party (in progress / certified).

HIPAA Compliance

Audited by an independent third party (in progress / certified).

GDPR & CCPA

We support international privacy regulations for data subjects’ rights.

Privacy

We treat patient and customer data with the respect and protection it deserves.

Hands typing on a laptop with a digital lock shield overlay representing cybersecurity

Our Privacy Principles

No data selling: We never sell, rent, or share Protected Health Information (PHI) or customer data
Purpose limitation: Data is only processed to deliver, improve, and support our products
Data ownership: Customers retain full ownership and control of their data
Transparency: Clear documentation of data practices and processing activities

Scientist in a lab using a tablet, with lab equipment in the background.

Data Rights

Access: Request copies of your data at any time
Portability: Export data in standard formats (FHIR, CSV, JSON)
Deletion: Request deletion of data subject to legal retention requirements
Correction: Update or correct inaccurate information

Digital network diagram with connected files and a central analytics document icon.

Our Privacy Principles

Minimal collection: We collect only data necessary for service delivery
Retention limits: Data retained according to documented schedules and customer contracts
Subprocessor oversight: All vendors undergo security and privacy reviews
Cross-border transfers: Standard Contractual Clauses (SCCs) for international data flows

Reliability & Uptime

Our commitment to reliability ensures healthcare operations run smoothly.

99.9%

Uptime Target

Real-Time Status

status.commure.com

Incident Transparency

All incidents and resolutions are publicly tracked via an Incident.io integration.

Disaster Recovery

Tested quarterly with full backup and recovery plans.

Subprocessors

Commure partners only with vetted subprocessors who meet our security and compliance standards. Each subprocessor undergoes annual security and privacy reviews.

Request a List of Subprocessors

Contact Us

Have questions about our security or compliance program? Our Security and Privacy teams are here to help.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Your Trust.
Our Commitment.

Security