Skip to main content
JamEMR

Trust Center

Patient data deserves more than promises.

This is the single source of truth for JamEMR's security and privacy posture. Every page distinguishes what is implemented today from what is on our compliance roadmap — no vague claims.

Security Overview

How JamEMR protects clinical data today — local AI processing, least-privilege access, audit logging, and approval-gated changes — and what is on our security roadmap ahead of general availability.

Learn more

HIPAA

JamEMR is designed to support customers' HIPAA compliance obligations, with safeguards mapped to the Security Rule and BAAs executed before any PHI is handled. No vendor is "HIPAA certified" — we say so plainly.

Learn more

Encryption

TLS protects data in transit on exposed interfaces; data at rest is protected with disk-level encryption configured per deployment. Clinical AI processing stays local, so PHI does not transit consumer AI clouds.

Learn more

Data Privacy

JamEMR's flagship privacy property is architectural — clinical AI runs on local hardware inside the deployment environment, so PHI is not sent to third-party consumer AI clouds. Pilots use synthetic data first.

Learn more

Access Controls

Role-based access control with least-privilege roles is enforced today — front-desk staff cannot reach clinical AI functions — alongside registered API tokens for services and approval gates on privileged changes.

Learn more

Audit Logging

Application-level audit logging is live today — chart access and changes are recorded, and every ambient-note draft, edit, and signature leaves an entry. If it touched a record, there is a log line for it.

Learn more

Infrastructure

JamEMR runs clinical AI on dedicated GPU hardware inside the deployment environment. TLS in transit, disk-level encryption at rest, versioned migrations, and approval-gated operational changes are in place today.

Learn more

Incident Response

How JamEMR classifies, contains, and communicates security incidents — including breach notification consistent with the HIPAA Breach Notification Rule, without unreasonable delay.

Learn more

Disaster Recovery & Business Continuity

Honest current state: scheduled backups run today and restore procedures are being formalized. Formal, SLA-backed disaster-recovery commitments are in development ahead of general availability.

Learn more

Business Associate Agreements

JamEMR executes a Business Associate Agreement with each covered entity before any PHI is handled — no exceptions. What a BAA is, what ours covers, and how to request one through [email protected].

Learn more

Subprocessors

JamEMR's architecture minimizes subprocessors — clinical AI runs locally, so no subprocessor receives PHI for clinical AI processing. The current minimal list is published here. This is a living document.

Learn more

Compliance Roadmap

A staged, honest view of JamEMR's compliance program — pilot-phase controls in place now; formal policy pack, risk analysis, and penetration testing next; SOC 2 Type II and expanded certifications later.

Learn more

Responsible Disclosure

Good-faith security research is welcome. Scope, rules, and safe harbor for reporting vulnerabilities to [email protected] — acknowledged within 3 business days. No bug bounty program yet; we say so honestly.

Learn more

Security Contact

Report vulnerabilities to [email protected] and privacy matters to [email protected]. What to include in a report, our 3-business-day acknowledgement commitment, and where to find our security.txt.

Learn more

Found a security issue?

We welcome good-faith security research. Report vulnerabilities to [email protected] or read our responsible disclosure policy.