Security & Compliance

Monolithik is built for healthcare workflows that touch protected health information. This document describes the infrastructure, data handling, and access controls that keep that information secure.

HIPAA Infrastructure

Monolithik runs entirely on Google Cloud Platform under a single executed Business Associate Agreement (BAA). Every service in our stack is drawn from Google's list of HIPAA-eligible products — we do not route protected health information through any service that falls outside that list.

Data is encrypted in transit using TLS 1.3 and at rest using AES-256. Encryption is enforced at the platform level; there is no unencrypted path for data to reach our systems or storage.

Data Handling

Audio captured during a session is processed transiently and deleted within five minutes of capture. We do not retain raw audio.

We do not store patient names or other direct identifiers. Clinical work is associated only with pseudonymous client references — opaque identifiers that carry no personally identifying information on their own.

Access Controls

User identity is managed through Firebase Authentication. Application data is protected by Firestore row-level security rules, so users can only read and write records that belong to them.

Access to data is recorded through audit logging via Cloud Logging, providing a tamper-evident trail of system and administrative activity.

Business Associate Agreement

Monolithik LLC executes a BAA with each covered entity prior to handling any protected health information. Contact hello@monolithik.com to request a BAA.

Contact

Please direct security disclosures and vulnerability reports to security@monolithik.com. We review every report and aim to respond promptly.