Security
Security-first.
By architecture, not afterthought.
Pryzma was designed from day one for healthcare data. Every architectural decision — from infrastructure to AI model selection — starts with security, not convenience. NIST-aligned, HIPAA-hardened, zero-trust by default.
Standards
Framework alignment
Pryzma's security posture is built on recognized federal and industry frameworks — not ad-hoc checklists.
NIST 800-53
Security & Privacy Controls
Pryzma's control environment aligns with NIST SP 800-53 Rev. 5 — the gold standard for federal information systems and healthcare organizations. Controls mapped across access control (AC), audit & accountability (AU), system & communications protection (SC), and incident response (IR) families.
- AC — Role-based access, least privilege, session controls
- AU — Immutable audit logs, SHA-256 integrity verification
- SC — TLS 1.3 in transit, AES-256 at rest, network segmentation
- IR — Automated anomaly detection, incident classification
- IA — JWT authentication, MFA enforcement, credential rotation
NIST AI RMF 1.0
AI Risk Management Framework
Every AI integration in Pryzma follows the NIST AI Risk Management Framework — governing how models are selected, deployed, monitored, and audited in healthcare contexts. We don't just use AI. We govern it.
- GOVERN — AI use policies, BAA requirements, model selection criteria
- MAP — Risk categorization per use case, PHI exposure assessment
- MEASURE — Output validation, bias monitoring, accuracy benchmarks
- MANAGE — Human-in-the-loop review, model versioning, kill switches
NIST 800-53 Rev. 5 — Control Family Coverage
Access Control
- RBAC
- Least Privilege
- Session Lock
- Domain-Restricted Auth
Audit & Accountability
- Immutable Logs
- SHA-256 Integrity
- Centralized SIEM
- Tamper-Evident
System & Comms
- TLS 1.3
- AES-256 at Rest
- Network Segmentation
- VPC Isolation
Incident Response
- AI Threat Assessment
- Auto Evidence Pkg
- Response Playbooks
- 60-Day Notify
Identification & Auth
- JWT / RS256
- MFA Enforced
- Credential Rotation
- OAuth 2.0 / OIDC
NIST AI RMF 1.0 — Pryzma AI Governance Lifecycle
Every AI interaction in Pryzma flows through all four NIST AI RMF functions — from policy governance through risk mapping, continuous measurement, and active management. No AI model is deployed without completing the full lifecycle.
HIPAA / HITECH
Full administrative, technical, and physical safeguard compliance. BAA executed with every vendor and subprocessor.
SOC 2 Type II
Infrastructure providers (AWS, GCP) maintain continuous SOC 2 Type II certification. Pryzma inherits and extends these controls.
HITRUST CSF
Control mapping compatible with HITRUST Common Security Framework for organizations requiring HITRUST certification.
Infrastructure
Cloud security architecture
Deployed on AWS and GCP with defense-in-depth — network isolation, encryption everywhere, and least-privilege access at every layer.
Amazon Web Services
- VPC isolation with private subnets, no public internet exposure for data services
- IAM roles with least-privilege policies, no long-lived credentials
- S3 bucket policies with deny-by-default, server-side encryption (SSE-S3/SSE-KMS)
- CloudTrail enabled for all API activity, forwarded to centralized SIEM
- RDS encryption at rest, automated backups with cross-region replication
- Lambda functions in VPC with security group restrictions
- AWS Bedrock for AI — data never leaves the AWS trust boundary
Google Cloud Platform
- Cloud Run with ingress controls, minimum instances for cold-start security
- BigQuery with column-level security, authorized views for PHI segregation
- Google OAuth 2.0 with domain-restricted sign-in, session TTL enforcement
- Cloud Audit Logs enabled for all data access and admin activity
- VPC Service Controls for BigQuery to prevent data exfiltration
- Cloud KMS for application-layer encryption key management
- BAA executed with Google Cloud covering all HIPAA-eligible services
Access Control
Authentication & authorization
Zero-trust identity verification at every boundary. No implicit trust, no shared credentials, no exceptions.
JWT Authentication
Stateless JSON Web Tokens with short-lived expiry, RS256 signing, and automatic rotation. No session state stored server-side.
Multi-Factor Authentication
MFA enforcement for all administrative and data access. TOTP and WebAuthn supported. No SMS fallback.
Role-Based Access Control
Granular RBAC with principle of least privilege. Roles mapped to NIST 800-53 AC family controls. Regular access reviews.
OAuth 2.0 / OIDC
Google OAuth and Microsoft Entra ID for federated identity. Domain-restricted authentication — no personal accounts.
Session Management
24-hour session TTL with sliding expiration. Automatic logout on inactivity. Session binding to originating IP range.
API Rate Limiting
Per-endpoint rate limits, abuse detection, and automatic throttling. API keys scoped to specific operations and clients.
Data Protection
Encryption & integrity
Healthcare data is protected at every stage — in transit, at rest, and in processing. Cryptographic verification ensures nothing is tampered with.
TLS 1.3
In Transit
All data in transit encrypted with TLS 1.3. HSTS enforced. Certificate pinning for service-to-service communication.
AES-256
At Rest
All data at rest encrypted with AES-256. Customer-managed keys available via AWS KMS and Google Cloud KMS.
SHA-256
Integrity
Cryptographic hash verification on all audit records, compliance reports, and evidence packages. Tamper-evident by design.
Zero Retention
AI Processing
AI providers contractually prohibited from storing, logging, or training on any data processed through Pryzma.
Operations
Monitoring & incident response
Continuous monitoring with automated anomaly detection. When something happens, Pryzma doesn't just alert — it investigates.
Continuous Monitoring
- Sigma-based statistical anomaly detection on all access patterns
- Real-time alerting with configurable severity thresholds
- CloudTrail + Cloud Audit Logs aggregated to centralized analysis
- Infrastructure health monitoring with automatic remediation
- Dependency vulnerability scanning on every build
Incident Response
- AI-powered threat assessment with CRITICAL/HIGH/MEDIUM/LOW classification
- Automated evidence packaging with forensic chain of custody
- Tiered response playbooks aligned to NIST 800-53 IR controls
- Breach notification workflow compliant with HIPAA 60-day rule
- Post-incident review with root cause analysis and control updates
AI Governance
Responsible AI in healthcare
Governed by NIST AI RMF 1.0. Every model, every query, every output — audited, validated, and controlled.
Model Selection Criteria
AI models evaluated on security posture, BAA availability, data handling policies, and healthcare domain performance before integration.
BAA on Every Model
Business Associate Agreements executed with Anthropic, OpenAI, and Google before any model touches healthcare data. No exceptions.
Bedrock Routing
AI inference routed through AWS Bedrock — data never leaves the AWS trust boundary. No direct calls to provider APIs.
Output Validation
AI-generated threat assessments validated against statistical evidence. Confidence scores and source attribution on every output.
Complete Audit Trail
Every AI query logged: timestamp, model, token count, PHI indicator, latency, and output hash. Immutable and queryable.
No Training on Your Data
Contractual and technical controls ensure no provider trains models on Pryzma customer data. Zero retention, zero learning.
Questions?
Security starts with a conversation.
Have questions about Pryzma's security architecture, compliance posture, or data handling? We're happy to walk through our controls in detail.