Security documentation

How your patient data
is protected, and where it lives.

This is the technical reference for your security file: the architecture, encryption, access control, audit logging, and data residency behind Montego. For the regulatory side — supervision, consent, scope, and state rules — see Security & compliance.

AES-256 / TLSUS data residencyBAA on every plan
Architecture

Security is structural, not bolted on.

Because every surface reads and writes one patient record, there is one place to encrypt, one place to enforce access, and one place to log. Protection isn’t spread across integrations — it lives in the record itself.

Application

The desktop web app, iPad provider workspace, and patient kiosk — every surface authenticates against the same identity and writes to the same record.

Data

A single patient record store. PHI is encrypted, access is mediated by role, and every read and write is logged.

Infrastructure

US-based, healthcare-grade cloud infrastructure operated under a Business Associate Agreement, with continuous monitoring.

The controls

Encryption, access, and accountability.

The technical controls that protect PHI on Montego. Items marked are pending verified specifics for your security questionnaire.

Encryption in transit

All traffic between your devices and Montego is encrypted with TLS.

Encryption at rest

PHI is encrypted at rest using AES-256.

Key management

Encryption keys are managed separately from the data they protect, with rotation.

Role-based access control

Access is least-privilege and mapped to scope of practice — staff see only what their role requires.

Multi-factor authentication

MFA is enforced on every account.

Audit logging

Every access and change to a record is timestamped and attributable to a named user.

Session controls

Idle timeout and device session management reduce the risk of unattended access.

Vulnerability management

Ongoing patching and periodic third-party penetration testing.

Data residency & infrastructure

Where your data lives.

PHI is stored on US-based, healthcare-grade cloud infrastructure operated under a Business Associate Agreement, with continuous monitoring and a tested incident-response process.

United States
Data location
PHI stored on US-based infrastructure
AES-256 / TLS
Encryption
At rest and in transit
6 years
Audit retention
Attributable access and change logs
On every plan
BAA
Business Associate Agreement included
Attestations & programs

What we can show your compliance team.

Badges reflect actual status. HIPAA is a supported control covered by a BAA — a shared responsibility, not a guarantee — and certification details marked should be verified before they’re published.

SOC 2 Type II

Independent audit of security controls.

HIPAA — supported control

Montego provides HIPAA-aligned controls and signs a BAA on every plan. HIPAA compliance is a shared responsibility — it is not a guarantee, and your practice remains accountable for its own program.

Incident response

A defined, tested breach-response process with defined notification steps.

Subprocessor transparency

Infrastructure and processing subprocessors are documented and BAA-covered where they handle PHI.

Security — this page

How patient data is technically protected: encryption, access control, audit logging, data residency, and the infrastructure it runs on.

Compliance — the other page

How your practice meets its regulatory obligations: supervision, consent, scope of practice, and state rules across the states you operate in.

Security FAQ

For your security questionnaire.

On US-based, healthcare-grade cloud infrastructure operated under a Business Associate Agreement.

Yes — in transit with TLS and at rest with AES-256, with encryption keys managed separately from the data they protect.

Only staff whose role grants access. Permissions are least-privilege and mapped to scope of practice, and every access is logged and attributable.

Yes. A Business Associate Agreement is included on every plan, at every tier — it is not an add-on.

Montego maintains a SOC 2 Type II program covering its security controls.

Security is how your data is technically protected — encryption, access, logging, residency. Compliance is how your practice meets its regulatory obligations — supervision, consent, scope, and state rules. See Security & compliance for the regulatory side.

Need our security package?

We’ll walk your compliance team through the architecture and share the documentation you need.