Trust Center

Security & Compliance You Can Trust

Protecting your data is our unwavering commitment. Avande maintains the highest standards of security, privacy, and compliance in healthcare—independently verified and continuously monitored.

As a healthcare cost management company handling sensitive Protected Health Information (PHI) and Personally Identifiable Information (PII), we understand that trust is earned through action, not promises. That's why we've achieved and maintain rigorous third-party certifications including SOC 2 Type II, HIPAA compliance, and HITRUST CSF certification.

Our Standards

Enterprise-Grade Security for Healthcare

01

Independently Verified

Third-party audits and certifications validate our security controls annually

02

Continuously Monitored

24/7 security monitoring, threat detection, and incident response protocols

03

Healthcare-Specific

Purpose-built controls designed for PHI protection and HIPAA requirements

Certification

SOC 2 Type II Certified

Independently Audited Security Controls

Avande has successfully completed SOC 2 Type II attestation, demonstrating that our security controls are not only designed effectively but also operate effectively over time. Our independent auditors evaluate our systems against the American Institute of CPAs (AICPA) Trust Services Criteria across five key areas:

Key Details

  • Annual independent audit by certified CPA firm
  • Comprehensive evaluation of 100+ security controls
  • Type II attestation validates controls over 6-12 month period
  • Full audit report available to customers under NDA

Trust Services Criteria
Compliance

HIPAA Compliant

Full Health Insurance Portability and Accountability Act Compliance

Avande is fully compliant with HIPAA regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule. As a Business Associate under HIPAA, we implement comprehensive administrative, physical, and technical safeguards to protect all Protected Health Information (PHI).

Key Commitments

  • Business Associate Agreements (BAA) available for all customers
  • Annual HIPAA Security Risk Assessments
  • Mandatory workforce training and certification
  • Documented policies and procedures for all HIPAA requirements
  • Breach notification protocols aligned with HHS guidelines

HIPAA Safeguards
Certification

HITRUST CSF Certified

Healthcare's Gold Standard for Security and Privacy

Avande has achieved HITRUST CSF (Common Security Framework) Certification, widely recognized as the gold standard for healthcare information security and privacy. HITRUST CSF certification represents the most comprehensive and rigorous security framework in healthcare, incorporating requirements from multiple regulations and standards including HIPAA, PCI DSS, ISO 27001, NIST, and more.

Why HITRUST Matters

1

Most Comprehensive Framework

HITRUST CSF consolidates 19 authoritative sources including HIPAA, NIST 800-53, ISO 27001, PCI DSS, and more into a single, risk-based framework specifically designed for healthcare.

2

Independent Third-Party Assessment

Certification requires rigorous assessment by HITRUST-authorized external assessors, with validation of 156 control objectives across 14 control categories.

3

Continuous Compliance

Annual assessments and ongoing monitoring ensure our security posture remains strong and adapts to evolving threats and regulatory requirements.

4

Industry Recognition

HITRUST CSF certification is recognized by health plans, healthcare providers, and business associates as demonstrating the highest level of security maturity.

Key Details

  • Validated assessment of 156+ security controls
  • Annual recertification by authorized HITRUST assessor
  • Meets requirements of major health plans and healthcare organizations
  • Certification letter available upon request
  • Published in HITRUST public directory
Security Commitment

Beyond Compliance: Our Security Commitment

Compliance certifications are our foundation, not our ceiling. We continuously invest in additional security measures to protect your data and maintain the trust you place in us.

Penetration Testing

Annual third-party penetration testing and vulnerability assessments with remediation tracking

Employee Background Checks

Comprehensive background checks for all employees with access to PHI or production systems

Encryption Everywhere

End-to-end encryption for data in transit (TLS 1.2+) and at rest (AES-256), including backups

Multi-Factor Authentication

Required MFA for all production access, administrative functions, and customer-facing systems

Security Awareness Training

Mandatory annual security and privacy training for all employees with quarterly phishing simulations

24/7 Security Monitoring

Continuous monitoring with security information and event management (SIEM) and automated threat detection

Trust & Compliance

Enterprise-Grade Security & Compliance

Independently verified through rigorous third-party audits and continuously monitored to ensure the highest standards of data security, privacy protection, and regulatory compliance.

SOC 2 Type II

SOC 2 Type II

Service organization control audit verifying security, availability, processing integrity, confidentiality, and privacy controls over time.

Compliant Q1 2026
HIPAA

HIPAA

Health Insurance Portability and Accountability Act compliance ensuring protection of sensitive patient health information.

Compliant Q4 2025
PHI

PHI

Protected Health Information safeguards meeting strict healthcare data protection requirements.

Active Ongoing
PII

PII

Personally Identifiable Information protection with enterprise-grade privacy controls.

Protected Q1 2026
View full Trust Center
Incident Response

Prepared for the Unexpected

Despite our best efforts, we recognize that no system is immune to security incidents. That's why we maintain comprehensive incident response and business continuity plans.

Detection & Response

  • 24/7 security monitoring and automated threat detection
  • Documented incident response procedures with defined escalation paths
  • Rapid containment and remediation protocols
  • Forensic investigation and root cause analysis

Communication & Notification

  • Transparent communication with affected customers
  • Breach notification procedures aligned with HIPAA and state regulations
  • Post-incident reports and corrective action plans
  • Regular tabletop exercises and incident simulations

Business Continuity

  • Redundant infrastructure and automated failover
  • Regular data backups with tested restoration procedures
  • Disaster recovery plan with defined RTO/RPO objectives
  • Annual business continuity testing and validation
Questions

Questions About Our Security Practices?

Our security and compliance team is here to help our clients. Whether you have specific security questions, or want to discuss our controls in detail, we're committed to transparency.

Security Team

For security questions, audit requests, or vulnerability reporting

Compliance Team

For BAA requests or compliance related questions

Trust Center Portal

For on-demand access to security documentation and certifications

Ready to Partner with a Security-First Organization?

Experience the confidence that comes from working with a healthcare partner that takes security and compliance as seriously as you do.

Connect With Us
Glowing crystalline data tower with holographic network — representing Avande's innovative healthcare technology