> ## Documentation Index
> Fetch the complete documentation index at: https://docs.medera.info/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance & Trust

> Medera's compliance program.

Medera operates under a HIPAA-grade, 42 CFR Part 2-aware controls program. Every request runs through a tenant-scoped runtime with Row-Level Security, encrypted PHI encryption, and Merkle-tree audit integrity.

<CardGroup cols={2}>
  <Card title="HIPAA" icon="https://mintcdn.com/medera-357fd587/n1mgcc3nR2sq_PoL/icons/ui/shield-check.svg?fit=max&auto=format&n=n1mgcc3nR2sq_PoL&q=85&s=6909d120dcab3cdfef838294f042d00c" href="/compliance/hipaa" width="40" height="40" data-path="icons/ui/shield-check.svg">
    Access control, audit, integrity, transmission security.
  </Card>

  <Card title="42 CFR Part 2" icon="https://mintcdn.com/medera-357fd587/iC-6rAuwl-0aQSw_/icons/ui/shield-alert.svg?fit=max&auto=format&n=iC-6rAuwl-0aQSw_&q=85&s=9a31ae547e9c652f00965438ad5f90e7" href="/compliance/42-cfr-part-2" width="40" height="40" data-path="icons/ui/shield-alert.svg">
    SUD data with explicit consent + re-disclosure.
  </Card>

  <Card title="BAA / DPA" icon="https://mintcdn.com/medera-357fd587/iC-6rAuwl-0aQSw_/icons/ui/file-text.svg?fit=max&auto=format&n=iC-6rAuwl-0aQSw_&q=85&s=7cc7f358d5e4af95c1bc5110b45a9b68" href="/compliance/baa" width="40" height="40" data-path="icons/ui/file-text.svg">
    Business Associate Agreement + Data Processing Addendum.
  </Card>

  <Card title="Sub-processors" icon="https://mintcdn.com/medera-357fd587/iC-6rAuwl-0aQSw_/icons/ui/link.svg?fit=max&auto=format&n=iC-6rAuwl-0aQSw_&q=85&s=44f5f1ae1b0122daa0138e9f47b49449" href="/compliance/sub-processors" width="40" height="40" data-path="icons/ui/link.svg">
    Current sub-processor list.
  </Card>

  <Card title="Security Controls" icon="https://mintcdn.com/medera-357fd587/iC-6rAuwl-0aQSw_/icons/ui/lock.svg?fit=max&auto=format&n=iC-6rAuwl-0aQSw_&q=85&s=c9887b4194639a1779d01352d3348ef2" href="/compliance/encryption" width="40" height="40" data-path="icons/ui/lock.svg">
    Encryption, audit, RLS, access control.
  </Card>

  <Card title="Data Residency" icon="https://mintcdn.com/medera-357fd587/iC-6rAuwl-0aQSw_/icons/ui/globe.svg?fit=max&auto=format&n=iC-6rAuwl-0aQSw_&q=85&s=c6381a12d6805e01a35cb84787415b5b" href="/compliance/data-residency" width="40" height="40" data-path="icons/ui/globe.svg">
    US, EU, customer-VPC options.
  </Card>
</CardGroup>

## Certifications and posture

| Control             | Status                        |                                                                                        |
| :------------------ | :---------------------------- | -------------------------------------------------------------------------------------- |
| HIPAA Security Rule | Operating, externally audited |                                                                                        |
| HIPAA Privacy Rule  | Operating                     |                                                                                        |
| 42 CFR Part 2       | Operating                     |                                                                                        |
| SOC 2 Type II       | In audit                      |                                                                                        |
| HITRUST             | Roadmapped                    |                                                                                        |
| ISO 27001           | Roadmapped                    | Request the current report bundle from [trust.medera.info](https://trust.medera.info). |
