Security

Security at ReasonTele

Built from the ground up to protect sensitive health information.

Last updated: March 1, 2026

This document was last updated on the date above. We recommend consulting a healthcare attorney for your specific compliance needs.

1. Our Approach

Security is foundational to everything we build. ReasonTele Connect uses a defense-in-depth architecture with multiple layers of protection for data at every stage — in transit, at rest, and during processing. No system is 100% secure, but we are committed to implementing industry best practices and continuously improving our security posture.

2. Encryption

In Transit

All data transmitted between clients and our servers is encrypted using TLS 1.3. We enforce HTTPS on all connections and use HSTS to prevent downgrade attacks.

At Rest

All stored data, including databases and backups, is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management system with regular rotation.

Video & Audio

All telehealth video and audio streams are encrypted using WebRTC with SRTP (Secure Real-time Transport Protocol), ensuring end-to-end media encryption during sessions.

3. Access Controls

  • Role-Based Access Control (RBAC): Users are granted only the permissions necessary for their role. Access to PHI is restricted to authorized personnel.
  • Multi-Factor Authentication (MFA): Required for all administrative access to infrastructure and production systems.
  • Principle of Least Privilege: Internal access to systems and data follows least-privilege principles, with regular access reviews.
  • Session Timeouts: Automatic session expiration after periods of inactivity to prevent unauthorized access.
  • Audit Logging: All access to PHI is logged with timestamps, user identity, and action taken. Audit logs are immutable and retained per compliance requirements.

4. Infrastructure

  • Self-Hosted Video: We use self-hosted Jitsi for video conferencing. Video and audio streams never route through third-party consumer video platforms.
  • Encrypted Database: PostgreSQL with encryption at rest and encrypted connections. Database access requires authentication and is restricted to application services.
  • Tenant Isolation: Customer data is logically isolated to prevent cross-tenant access. Each organization's data is segmented and access-controlled independently.
  • Network Security: Firewalls, intrusion detection, and network segmentation protect our infrastructure. Only necessary ports and services are exposed.

5. HIPAA Compliance

ReasonTele Connect is designed to meet the requirements of the HIPAA Security Rule, including administrative, physical, and technical safeguards as specified in 45 CFR §164.308–318. We execute a Business Associate Agreement (BAA) with every healthcare customer at no additional cost.

For more information about our BAA, visit our BAA page.

6. Data Handling

  • Retention Policies: Data is retained only as long as necessary to provide services and meet legal obligations. Specific retention periods are defined in customer agreements.
  • Cryptographic Deletion: When data is deleted, we use cryptographic erasure to ensure it cannot be recovered.
  • Encrypted Backups: Backups are encrypted using the same standards as primary data and stored in geographically separate locations.
  • Data Residency: Customer data is stored in specified geographic regions. Enterprise customers may select their preferred data residency location.

7. Incident Response

We maintain a documented incident response plan that includes:

  • 24-Hour Discovery Notification: Affected customers are notified within 24 hours of discovering a security incident involving their data.
  • Investigation & Containment: Immediate containment measures followed by thorough root cause analysis.
  • HIPAA Breach Notification: Full compliance with the HIPAA Breach Notification Rule (45 CFR §164.400–414), including the 60-day notification requirement.
  • Post-Incident Review: Every incident is followed by a review to identify improvements and prevent recurrence.

8. Security Testing

  • Penetration Testing: Regular third-party penetration testing of our platform and infrastructure.
  • Vulnerability Scanning: Automated vulnerability scanning of all production systems on an ongoing basis.
  • Dependency Auditing: Continuous monitoring of third-party dependencies for known vulnerabilities with automated alerting and patching workflows.
  • Code Review: All code changes undergo peer review with security considerations as part of the review process.

9. Self-Hosting Option

For enterprise customers who require full control over their infrastructure, ReasonTele Connect offers a self-hosted deployment option. This allows organizations to run the entire platform within their own infrastructure, maintaining complete control over data storage, network configuration, and security policies.

10. Shared Responsibility

Security is a shared responsibility. While we secure the platform, our customers are responsible for:

We Secure

  • Platform infrastructure
  • Data encryption
  • Application security
  • Availability & uptime
  • Security patching
  • Incident response

Customers Own

  • Staff HIPAA training
  • Device & endpoint security
  • Patient consent processes
  • Network security (local)
  • Account credential management
  • Access control policies

11. Responsible Disclosure

We value the security research community. If you discover a security vulnerability in our platform, please report it responsibly to security@reasontelehealth.com. We ask that you:

  • Provide sufficient detail for us to reproduce and address the issue.
  • Allow reasonable time for us to investigate and remediate before public disclosure.
  • Avoid accessing, modifying, or deleting data that does not belong to you.

We commit to acknowledging reports within 48 hours and will work with researchers in good faith to resolve issues promptly.

Contact

For security-related questions or concerns:

ReasonWorks AI Inc.
Email: security@reasontelehealth.com