This page maps Nemorion Technologies' platform controls to the HIPAA Security Rule (45 CFR § 164.308, 164.310, 164.312) governing electronic Protected Health Information (ePHI), and to Privacy Rule mechanisms for individual rights.
For deployment model details, Business Associate posture, license heartbeat disclosure, and the shared status-indicator convention, see the Trust Center overview.
Sovereign is a project management and automation platform. ePHI may incidentally pass through workflows or work items, but Sovereign is not designed to serve as an EHR, primary clinical-care system, or patient-record repository. Workflows where time-critical clinical-care break-glass is essential should use purpose-built EHR systems.
For self-hosted deployments, Nemorion Technologies does not see your ePHI and is not a Business Associate — see the Trust Center overview for the deployment-model details and the no-BAA-required-for-self-hosted explanation.
These are policies-and-procedures controls. The software supports them via identity, audit, and configuration primitives; the operator implements the surrounding policy.
Platform-wide role-based access control gates every read and write at the entity level. Tenant administrators provision workforce access via cascade-aware role assignments at Account → Tenant → Workspace → Resource levels.
Tenant administrators control which users have which roles. Role mutations are audited and applied atomically with the access-control update.
Authentication events (login attempts, MFA verifications, password resets, account lockouts) are captured today via structured logging that operators can forward to their SIEM. Persistence to the tamper-evident audit chain is in progress.
Until chain persistence lands, customers operating regulated workloads should configure SIEM forwarding as the primary record for login monitoring.
Local-mode passwords are hashed with industry-standard adaptive hashing at a work factor that meets current NIST recommendations. OIDC mode delegates password management to your IdP.
HIPAA requires the Covered Entity to maintain a security incident response procedure. Sovereign provides structured logs and audit events that feed into the customer's incident response workflow; the platform is not a substitute for the procedure itself.
The platform's persistent state lives in Postgres. The operator runs the backup process.
pg_dump, point-in-time recovery via WAL, and disk-level snapshots.For self-hosted deployments, all of §164.310 — facility access, workstation use, device controls — is the operator's responsibility. Sovereign runs in your datacenter, colocation, VPC, or air-gap. Nemorion Technologies has no facility access and provides no physical controls.
For the Managed tier, Nemorion Technologies will document its facility controls once that tier launches and a BAA is in place.
Every user is assigned a stable unique identifier (subject claim on every authentication token; immutable identifier on every user record). Audit events carry the actor's identifier.
Emergency access is handled via admin grant. A tenant administrator grants a user temporary, scoped access to specific resources needed for an emergency; the user performs the action; the grant is revoked. Every step is audited.
Sovereign does not offer self-service break-glass elevation. This is by design: the platform is project management and automation, not clinical care. Workflows where time-critical break-glass is essential require purpose-built EHR systems.
Session timeout policies (idle and absolute) are declared today. Runtime refresh-time idle enforcement and client-side UI activity detection are in progress.
Sovereign provides a tamper-evident audit chain at the platform level. Audit events are written to an append-only store with cryptographic hash-chain linkage between rows, enforced by database-level role separation and triggers. A chain verifier walks the chain to detect tampering.
Customers operating regulated workloads should treat the request-level audit log as the primary record today, with SIEM forwarding as a secondary record. The hash chain provides integrity for the events that reach it; full surface coverage is in progress.
The audit chain provides integrity (tamper-evidence) for emitted audit events. Per-record integrity of business data is the customer's responsibility (Postgres-level integrity, disk-level integrity, backup verification).
For regulated workloads where ePHI integrity must be cryptographically attestable per record, additional controls are required at the application layer. The platform does not currently provide per-record content hashes for business data.
Token-based authentication enforces issuer, audience, signature, and lifetime claims. Revoked tokens are rejected in real time via a distributed revocation check.
Authentication modes:
TOTP-based MFA with backup codes is available in Local mode. OIDC delegates MFA to your IdP. Per-tenant MFA enforcement (a policy that forces MFA for all users) is in progress.
Public APIs enforce HTTPS. Internal service-to-service traffic (between application services, Postgres, message queue, and cache) is operator-configured.
sslmode=verify-full, message queue TLS, cache TLS).These are not technical controls per se; they are mechanisms a Covered Entity uses to respond to individual rights requests. The platform provides hooks for the operator to satisfy them.
A Covered Entity must be able to return an individual's data on request. Sovereign provides per-product admin access to query each product's data store. A consolidated cross-product export orchestrator is not provided; customers integrate per-product queries through their standard data-export tooling.
Amendment requests are policy-driven (the Covered Entity decides whether to accept). The platform supports record edits through normal workflows; the operator implements the amendment workflow.
The audit chain is the basis for accounting of disclosures. Today the request-level audit answers "who accessed record X when" for events that authenticated through the platform. Structured before-and-after summaries for project-management entity mutations are partially in place — cascade-level events are wired; primary create/update emission is in progress.
Sovereign provides per-product admin endpoints to hard-delete user content. A consolidated cross-product user-purge orchestrator is not provided; customers run per-product deletion through standard admin tooling.