Compliance & Security Posture
Everything your procurement, IT security, and compliance teams need to evaluate Monolith — in one place.
Security Architecture
PHI-Free by Design
Monolith tracks assets, not patients. The data model enforces this boundary at the schema level — no field can hold a patient name, MRN, date of birth, or any HIPAA-defined identifier. This is not a policy decision; it is an architectural constraint.
BAA: Administrative Assurance
Although Monolith never stores PHI, we sign Business Associate Agreements proactively. This eliminates procurement blockers and provides administrative assurance for any incidental data touch during integration or support.
Encryption at Rest and in Transit
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Database-level encryption uses AWS RDS native encryption in production. Demo data runs entirely in-browser via sql.js — nothing is transmitted.
Hardware-Agnostic Scanning
Monolith accepts input from any HID-compliant barcode or QR scanner, camera-based scanning via the browser, or manual keyboard entry. No proprietary hardware, no vendor-locked peripherals.
Compliance Documents
Downloadable artifacts for your procurement review cycle. These documents are designed to answer the most common questions from IT security, compliance, and vendor-review committees.
Security Posture Whitepaper
Comprehensive overview of Monolith's security architecture, data handling practices, encryption standards, and compliance controls. Written for CISOs and IT security reviewers.
PDF available upon pilot engagement
HECVAT Lite
Higher Education Community Vendor Assessment Toolkit — Lite version. Pre-filled for Monolith's architecture. Applicable to healthcare procurement teams that use HECVAT as a vendor-evaluation framework.
PDF available upon pilot engagement
CAIQ (on request)
Consensus Assessments Initiative Questionnaire by the Cloud Security Alliance. Available for organizations that require CSA-format security documentation during procurement.
Available upon request — contact info@ekoche.com
BAA Template
Our standard Business Associate Agreement template, ready for your legal team's review. We sign BAAs proactively as administrative assurance — Monolith never stores PHI.
Available during pilot onboarding
HIPAA Safeguard Coverage
Summary of how Monolith addresses each HIPAA safeguard category. Full details in the Security Posture Whitepaper.
| Safeguard | Category | Monolith Posture |
|---|---|---|
| Administrative | Risk Assessment | PHI-free architecture eliminates most risk vectors. Annual internal review. |
| Administrative | Workforce Training | All personnel with data access complete HIPAA awareness training annually. |
| Physical | Facility Access | Production infrastructure in AWS-managed data centers. SOC 2 Type II certified facilities. |
| Technical | Access Controls | SAML SSO, role-based access, per-facility data isolation, audit logging. |
| Technical | Encryption | AES-256 at rest, TLS 1.3 in transit. No unencrypted data paths. |
| Technical | Audit Controls | Immutable audit log for every data access and modification event. |
Recommended Bluetooth HID Scanners
Monolith works with any HID-compliant scanner. These are models we have tested and recommend for healthcare environments.
| Model | Type | Est. Price | Notes |
|---|---|---|---|
| Socket Mobile S740 | 2D Bluetooth | ~$350 | Healthcare-grade, antimicrobial housing |
| Zebra CS6080 | 2D Bluetooth | ~$300 | Compact, cradle-chargeable, HID profile |
| Honeywell Voyager 1602g | 1D/2D Bluetooth | ~$180 | Budget-friendly, reliable HID mode |
| Browser Camera | Built-in | $0 | Any device with a camera — via browser API |
Monolith is hardware-agnostic. Any scanner that presents as an HID keyboard device will work. Prices are approximate retail.
Questions for Your Security Team?
We are happy to join a call with your CISO, IT security team, or procurement committee. Compliance conversations are our favorite conversations.