Security & trust
HIPAA & security posture
Last updated: July 10, 2026
Borderless is built for HIPAA-regulated dermatology practices. This page summarizes our current posture. Customers receive a full security review packet and executed BAA at contracting.
Business Associate Agreement (BAA)
Borderless signs a Business Associate Agreement with every customer at signup. The BAA governs any Protected Health Information (PHI) we process on behalf of your practice.
Encryption
- TLS 1.2+ for all data in transit.
- AES-256 for data at rest, including database volumes and backups.
- Managed key rotation on the underlying cloud infrastructure.
Access controls & auditability
- Role-based access control aligned to clinic roles (provider, front desk, biller, admin).
- Single sign-on and multi-factor authentication supported.
- Full audit logs of every read, write, and administrative action, retained per BAA terms.
Read-safe EHR sync
Borderless syncs with your existing EHR and does not modify clinical records without an explicit, logged action by an authorized user in your practice. Sync failures fail closed — we do not silently alter source data.
Compliance program
- SOC 2 Type II audit in progress; report available under NDA once complete.
- Annual risk assessments and workforce training aligned to the HIPAA Security Rule.
- Documented incident response and breach notification procedures.
Subprocessors
A current subprocessor list, including infrastructure, monitoring, and email providers, is available on request and referenced in the BAA.
Contact
Security questions, vulnerability reports, or requests for the security review packet: security@withborderless.com.