HIPAA & Compliance
HostSwarm is designed from the ground up for HIPAA alignment. Our architecture minimizes PHI risk through zero data retention and sovereign infrastructure.
Disclaimer: HostSwarm is designed for HIPAA alignment but is not yet formally certified. We provide a BAA upon request.
Security Architecture
Zero PHI Retention
DICOM files are processed in memory and immediately deleted. No PHI is stored on disk or in logs.
Sovereign Infrastructure
We own all 296 GPUs. No cloud providers, no third-party access, no data leaving our facility.
Cryptographic Auth
Ed25519 signatures for every request. No passwords to steal, no tokens to leak.
Audit Trail
Every API call is logged with client ID, timestamp, and operation. ENS identity provides immutable attribution.
Data Handling
What We Process
- DICOM image pixel data for AI inference
- DICOM metadata (study date, series description)
What We Store
| Data Type | Stored? | Duration |
|---|---|---|
| DICOM files | No | Deleted immediately after processing |
| Patient names/IDs | No | Never stored |
| AI-generated reports | No | Returned to client, not stored |
| API request logs | Yes | 30 days (no PHI) |
| Billing records | Yes | 7 years (no PHI) |
Data Flow
- Client uploads DICOM via TLS 1.3 encrypted connection
- DICOM stored in encrypted RAM (never touches disk)
- AI inference runs on our GPUs
- PDF report generated and returned to client
- All DICOM data purged from memory
- Only metadata logged: timestamp, client ID, inference time
HIPAA Alignment
Key Principle: The best way to protect PHI is to not store it.
Technical Safeguards
- Encryption in transit: TLS 1.3 for all API communications
- Encryption at rest: N/A - no PHI stored
- Access controls: Ed25519 cryptographic authentication
- Audit logging: All API calls logged without PHI
- Automatic logoff: Stateless API - no sessions
Physical Safeguards
- Self-owned facility (not cloud/colo)
- Physical access controls
- No third-party physical access
Administrative Safeguards
- Security policies and procedures documented
- Incident response plan in place
- Business Associate Agreement (BAA) available
Business Associate Agreement
We provide a BAA for covered entities. To request a BAA:
- Email compliance@hostswarm.io
- Include your organization name and contact
- We'll send our standard BAA for review
Compliance Roadmap
| Milestone | Status |
|---|---|
| HIPAA-aligned architecture | Complete |
| BAA template | Complete |
| SOC 2 Type I | In Progress |
| SOC 2 Type II | Planned |
| HITRUST | Planned |
Questions?
For compliance questions or to request our security documentation:
- Email: compliance@hostswarm.io
- Discord: discord.gg/quantumswarm