Shared responsibility model

Last updated: Nov 12, 2025

SUPPORT

HEALTH TECH VENDOR

Redox serves as an intermediary for exchanging data between you and your connections. We share a responsibility with you and your connection to make sure data remains secure end-to-end.

Key takeaways

Our responsibility: Redox secures the platform, ensures compliance (HIPAA, HITRUST, SOC 2), and manages the secure transmission of data.
Your responsibility: You’re responsible for managing your organization’s user access and for controlling how you use PHI within configuration settings for data operations.
Your connection’s responsibility: Your connection is responsible for securing data after they have received it from Redox.

Review more details below about the key responsibilities to create a safe journey for all data exchanged via Redox.

Our responsibilities

Build a robust, defense-in-depth security program addressing all aspects of our operating environment.
Provide systems and environments that are compliant with relevant standards, including HIPAA, HITRUST, and SOC 2.
Ensure the secure receipt, storage, access, and transmission of all properly formed data exchanged via Redox.
Restrict access to systems and data by Redox roles, granting access only to those with a specific business need.
Maintain 24/7 support for responding to system stability and availability issues.
Respond to questions you might have about our security posture.

Your responsibilities

Respond to questions your customers might have about Redox’s security posture (with our support).
Refer your connections to our docs for a detailed overview of how and why Redox is a secure platform for data exchange.
Support modern, industry-accepted data connection standards (learn more about data in transit).
Develop security procedures for user access to your Redox organization(s) (learn about access control). You’re responsible for:
- approving and reviewing user access, permissions, and administrative settings so it all stays up-to-date;
- ensuring access changes reflect your change control procedures; and
- controlling your users’ access to confidential data, including PHI, if you choose to filter or translate confidential data.
Ensure that confidential data (i.e., PHI) is only entered and stored in appropriate places. For example, make sure you’ve considered the risks of changing or storing PHI in any Redox operation settings. Learn about Redox operations.

Your connections’ responsibilities

Data exchanged via Redox becomes the responsibility of your connection at the point that it’s received over your secure integration.

Support modern, industry-accepted data connection standards (learn more about data in transit).
Review our docs for an overview of security at Redox.

FHIR® is a registered trademark of Health Level Seven International (HL7) and is used with the permission of HL7. Use of this trademark does not constitute an endorsement of products/services by HL7®.