Trust and compliance

We maintain a robust assurance program encompassing numerous platforms across industries. Our continuous monitoring program ensures we maintain our industry-leading secure framework as our customer base grows.


SOC 2 is an industry-standard, technology service provider report verifying compliance and controls pertaining to security and availability. Type 2 indicates that this is a multi-month, over-time evaluation period for compliance. Refer to our SOC 3 report for an overview of our SOC 2 controls.

Redox has maintained SOC 2 compliance since July 2017.


We are HITRUST certifiedsee our HITRUST certificate and HITRUST Interim Assessment Letter. The HITRUST Cybersecurity Framework evaluates against 19 domains of security covering a broad spectrum of administrative, physical, and technical controls. The HITRUST CSF encompasses all applicable HIPAA requirements as well as numerous best practices, structured in a maturity model to serve as a framework for higher levels of security. 

We attest at HITRUST’s Level 3 (their highest standard).

PCI compliant

Redox uses Stripe.js and Elements to collect card details from customers. Stripe automatically creates a combined SAQ A and Attestation of Compliance (AoC) (see our AoC). This is possible because Stripe’s Elements host all form inputs containing card data within an iframe served from Stripe’s domain so our customers’ card information never touches the Redox servers.

NIST Cybersecurity Framework

NIST Cybersecurity Framework integrates industry standards and best practices to help organizations manage their cybersecurity risks. It provides a common language that allows staff at all levels within an organization—and at all points in a supply chain—to develop a shared understanding of their cybersecurity risks.

Redox works to align with these standards.


From the U.S. Department of Health & Human Services website:

HIPAA Standards

To improve the efficiency and effectiveness of the healthcare system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic healthcare transactions and codesets, unique health identifiers, and security.

Read more about HIPAA.

Redox adheres to all applicable US federal and state regulations, including HIPAA.

The California Consumer Privacy Act of 2018

Learn more about the California Consumer Privacy Act of 2018 (CCPA), which gives consumers more control over the personal information that businesses collect about them. Also, read the CCPA regulations that provide guidance on how to implement the law.

Redox adheres to all applicable regulations surrounding the CCPA.