Platform Security & Access Control
RRM implements secure authentication and access control mechanisms aligned with industry best practices.
Single Sign-On (SSO)
SSO is available for enterprise customers, including integration with standard identity providers (e.g., SAML, OIDC), enabling centralized identity and access management.
Multi-Factor Authentication
MFA is supported and can be enforced to provide an additional layer of security for user access across the platform.
Password Security
Password policies are enforced using configurable controls aligned with industry best practices:
- →Minimum length and complexity requirements
- →Protection against commonly used or compromised passwords
- →Secure storage using hashing and salting mechanisms
Customers may configure stricter password requirements based on their internal security policies.
Authentication Logging & Monitoring
Authentication and access events — including login attempts, failures, and MFA challenges — are logged and made available for centralized monitoring, security analysis, and audit purposes.
These logs support operational visibility, anomaly detection, and security investigations.
Access Control & Governance
Access to systems and customer data is governed by role-based access controls (RBAC) and least privilege principles.
- →Access rights are reviewed on a periodic basis (at least quarterly)
- →Inactive or unnecessary access is removed in a timely manner
- →Administrative access is restricted and monitored
Infrastructure & Data Protection
The RRM platform is built on secure, cloud-native infrastructure designed for resilience and data protection.
Multi-AZ Deployment
Deployed across multiple availability zones for redundancy and resilience.
Continuous Monitoring
Ongoing monitoring of system health and performance across services.
Encryption Everywhere
Data is encrypted in transit and at rest using industry-standard protocols.
Managed Cloud Services
Built on managed cloud services to support scalability and reliability.
Customer data is hosted within secure cloud infrastructure and is stored and processed within the United States unless otherwise agreed.
Data Ownership & Lifecycle
Customers retain full ownership of their data. RRM processes customer data solely to provide the Services and fulfill contractual obligations.
Data Export
Customers may request export of their data during the contract term in standard formats (e.g., JSON, CSV, PDF) via secure delivery methods.
Post-Termination Retrieval
Customers may request retrieval of their data for a defined period following termination — typically 30 days.
Data Deletion
Following the data retrieval period:
- →Data is removed from active systems
- →Backup data is securely deleted within defined retention windows (typically 30–90 days)
Operational Security & Monitoring
RRM maintains continuous monitoring and operational practices designed to support system reliability and security.
Real-Time Alerting
Real-time monitoring and alerting for system anomalies.
Logging & Observability
Logging and observability across platform components.
Incident Response
Defined incident detection and response procedures.
Continuous Improvement
Post-incident review and continuous improvement processes.
Compliance & Program Maturity
RRM Health is actively advancing its security and compliance program, with controls aligned to recognized industry standards and healthcare data protection requirements.
Structured Processes
We maintain structured processes for:
- →Security policy management
- →Risk assessment and mitigation
- →Continuous monitoring and improvement
Additional documentation, including our Terms of Use and security materials, is available upon request.
Contact & Additional Information
For additional information regarding our security practices or to request documentation, please reach out to our security team.
Security Contact
For security inquiries, documentation requests, or to responsibly disclose a potential vulnerability.
security@rrmhealth.com