SECURITY & COMPLIANCE

Built for the sensitivity of recovery data

Recovery-residence networks handle some of the most sensitive personal information there is. Simple Recovery is built to protect it — technically and operationally — from day one.

How we protect resident data

Data isolation

Every organization's data is separated at the database level — each only sees its own. This is enforced by the system, not just the interface.

Access controls

Access is role-scoped and enforced on the server: people see only what their role allows. Multi-factor authentication is available for administrator accounts.

Encryption

Resident data is encrypted both in transit and at rest, using current industry-standard encryption.

Audit trail

Every change is written to an append-only audit log secured with a cryptographic hash chain, so the record of what happened can't be quietly altered.

Built on infrastructure that takes compliance seriously

Simple Recovery runs on established cloud infrastructure chosen for its security and compliance posture. Before any real resident data is handled in production, Business Associate Agreements are executed with the vendors that process it. Email is handled through a provider under a signed Business Associate Agreement, and no clinical content is ever sent by email.

Records held by recovery-residence networks can fall under 42 CFR Part 2, the federal rule governing substance use disorder records. Simple Recovery is being designed to support Part 2 and HIPAA workflows — including the kinds of consent and disclosure controls these rules call for — as part of how the platform is built out with our partner networks.

Designed with 42 CFR Part 2 in mind

Have questions about how we handle data?

We're happy to walk through our security and compliance approach in detail — and answer the specific questions your network needs answered before trusting us with resident data.