Trust & Compliance
Security
Last updated: April 1, 2026
You are trusting Attunio with some of your most sensitive information. This page describes the technical and organizational measures we use to keep it safe — from encryption and access controls to independent audits and incident response.
1. Security at Attunio
Security is not a feature we bolt on — it is a core part of how we design and operate the Attunio platform. We follow industry best practices and maintain independent certifications to ensure your data is protected at every layer.
2. Certifications and audits
- SOC 2 Type II — independently audited controls for security, availability, and confidentiality.
- HIPAA & HITECH — full compliance for the handling of protected health information.
- LegitScript Certification Pending — application in review for verified, compliant telehealth operations.
- Annual third-party penetration testing and continuous vulnerability scanning.
3. Encryption
All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256. Encryption keys are managed through a dedicated key management service with strict rotation and access policies. Video sessions are encrypted end to end.
4. Access controls
- Role-based access control enforcing least-privilege across all systems.
- Multi-factor authentication required for every staff and clinician account.
- Automatic session timeouts and full audit logging of access to sensitive data.
- Quarterly access reviews and immediate deprovisioning on role changes.
5. Infrastructure
Attunio runs on cloud infrastructure hosted in SOC 2 and ISO 27001 certified data centers with 24/7 physical security, redundant power, and environmental controls. Our environments are segmented, with production data isolated from development and staging. We maintain automated backups with point-in-time recovery and tested disaster-recovery procedures.
6. Monitoring and incident response
We continuously monitor our systems for suspicious activity using intrusion detection, log analysis, and automated alerting. Our documented incident response plan defines clear roles, escalation paths, and communication procedures. In the event of a security incident affecting your data, we will notify you in accordance with applicable law.
7. Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability in our systems, please email security@attunio.co with details. We ask that you give us a reasonable opportunity to investigate and remediate before public disclosure, and we commit to acknowledging your report promptly. We do not pursue legal action against researchers who act in good faith and avoid privacy violations or service disruption.
8. Contact
For security questions, audit reports, or to request our security documentation, contact security@attunio.co.