Own The Climb LogoOwn The Climb
Compliance at Own The Climb

HIPAA when your work demands it.
Discipline in everything we ship.

BAAs signed, controls enforced in code, evidence on request.

We treat regulated work as compliance-bound from the first commit. For the clients who need it, we sign Business Associate Agreements, map our controls to the CFR, and make the evidence available to your legal team. There is no such thing as HIPAA certified. There is compliant practice, BAA coverage, and proof, and we bring all three.

Ownership
You own everything from commit one
Control
You choose where data lives
Security
Controls enforced in code
BAAs
We sign them
45 CFR
Mapped
Zero
Data retention
US
Data residency
Frameworks and status

What we hold, what's on our roadmap, and what we don't claim.

Buyers have been burned by badge theater. Here is the honest picture. We would rather tell you precisely where we stand than imply a certification we do not hold.

HIPAA

Available. We sign BAAs.

Compliant deployments with a full PHI boundary and CFR-mapped safeguards.

Evidence on request

Zero Data Retention

Standard for AI inference.

BAA and enterprise model tiers that do not retain or train on your data.

SOC 2 Type II

On our roadmap

Our controls are architected to the SOC 2 Trust Services Criteria. Formal attestation is on our roadmap.

Control documentation available to your security team under NDA.

GDPR

Aligned. DPA available on request.

Data deletion on request, no third-party data sharing.

Evidence on request

CCPA

Aligned. Data deletion on request.

Transparent data handling, no sale of personal information.

NIST AI RMF

Aligned in practice.

Risk-management practices applied across the model lifecycle.

We do not hold, and do not claim, ISO 27001, PCI DSS, or FedRAMP.

HIPAA, told architecturally

Built inside HIPAA. From the first commit.

We treat every healthcare-adjacent workload as HIPAA-bound from day one. That posture extends to vendor selection, infrastructure, code review, and access. Here is how we handle protected health information: where it lives, where it is allowed to cross, and where it never goes.

PHI BOUNDARY
Mainland-US · Encrypted · RLS-scoped
Tenant Postgres
RLS, AES-256, audited
Object storage
Per-object keys, signed URLs
Encrypted backups
Versioned, restore-tested
crosses only after it is scrubbed
BAA-eligible inference

Vertex AI, Bedrock, OpenAI BAA tier. Only the fields the model needs, never identifiers.

Observability

Error monitoring and logs. PHI scrubbed in code before any event leaves the process.

Non-BAA providers: blocked in code, the path never crosses the boundary.

Inside the boundary

Lives here. Encrypted, RLS-scoped, audited.

  • Tenant-isolated Postgres
    RLS, AES-256, TLS 1.2+
  • Encrypted object storage
    Per-object keys, signed URLs
  • Encrypted backups
    Versioned, restore-tested
  • Application servers
    Mainland-US, no edge caching of PHI
  • Engineer access
    MFA, scoped, time-bounded, revoked same-day

Crosses, scrubbed

Crosses under BAA, after allowlist serialization.

  • BAA-eligible inference
    Vertex AI / Bedrock / OpenAI BAA tier, only the fields the model needs, never identifiers
  • Error monitoring
    PHI scrubbed in code before the event leaves the process
  • Structured logs
    Documented exclusion list, build fails on raw PHI

Never touches PHI

Enforced in code.

  • Browser dev tools and client console
    Production builds strip PHI log calls at compile time
  • Web analytics and marketing tags
    Banned from PHI routes, CSP-enforced
  • Public CDNs and third-party JS
    Same-origin only for PHI endpoints
  • Non-BAA model providers
    Egress blocked at the application layer
  • Unmanaged endpoints
    Cannot reach PHI-bearing infrastructure, enforced at identity

These boundaries are enforced in three places: at the database (RLS plus encryption at rest), at the application boundary (allowlist serialization before any egress), and at the code-review gate (static-analysis rules reject patterns that violate the matrix).

45 CFR 164.308Administrative164.310Physical164.312Technical164.314Organizational / BAAs164.400-414Breach Notification164.502(b)Minimum-necessary
On our roadmap

On SOC 2, the honest version.

We have not completed a formal SOC 2 audit. Our controls are architected to the SOC 2 Trust Services Criteria for security, availability, and confidentiality, and formal attestation is on our roadmap. Until that report is issued, we make our control documentation available to your security team under NDA.

Most of our controls are enforced in code, not in policy alone. Here is what we can put in front of your security team today.

  • A documented data-handling matrix
  • Static-analysis rules that enforce controls at the pull-request gate
  • Penetration test evidence for engagements that require it
  • A sample BAA with every named sub-processor
Incident response

If something goes wrong, the clock is already running.

We maintain a written incident-response procedure with a named owner, an escalation path, and an evidence-preservation step. For healthcare engagements, breach notification follows HIPAA's Breach Notification Rule. Our internal milestones run faster than the legal outer limit, on purpose. Every incident gets a written post-mortem within five business days.

T+0
Detection
Alert fires, on-call paged
T+1hr
Containment
Access cut, client notified
T+4hr
Forensics
Evidence frozen, scope identified
T+24hr
Draft report
Written report to legal
T+72hr
Risk assessment
Breach-risk determination
≤60 days
Outer limit
HHS rule notification cap

The 60-day legal outer limit is the cap, not the target.

Response-time SLA

Response times we put in writing.

For engagements with a support commitment, our response-time SLA is contractual.

P1
Critical

Production incident or data exposure

1 hour
acknowledged
P2
High

Functional bug blocking a workflow

4 hours
acknowledged
P3
Standard

Questions, change requests, non-blocking

1 business day
acknowledged
Technology

The stack behind every guarantee.

We build on the same tools the most demanding teams in the world rely on. The roster below is selected per workload. Tools marked BAA are data sub-processors: they offer a HIPAA-eligible plan with an executable BAA and US-based data residency. BAAs are executed before any PHI enters the environment, and we give 30 days advance notice before adding or changing any sub-processor that affects your data.

BAA marks a data sub-processor under an executable Business Associate Agreement.

AI & Models

Vertex AIBAA
Google GeminiBAA
BRAWS BedrockBAA
AIOpenAIBAA
Anthropic Claude

Cloud & Hosting

VercelBAA
AWSAmazon Web ServicesBAA
Google CloudBAA
CloudflareBAA

Data & Storage

SupabaseBAA
PostgreSQL
Drizzle ORM

Security & Abuse Prevention

AJArcjetBAA
SGSemgrep
NCNuclei
HKHardware security keys

Observability

SentryBAA
AXAxiomBAA
PostHog
CKCheckly

Email & Delivery

Resend
React Email

Quality & CI

Vitest
PWPlaywright
Stryker
CodeRabbit
Governance

Partner commitments, in writing.

The relationship is named before kickoff. The founder personally sponsors every engagement and signs every scope change. If your primary engineer changes, you get 60 days notice and a documented handover.

Named sponsor

  • The founder attends the steering call
  • Signs every scope change
  • Answers the phone

Continuity

  • 60 days advance notice on any engineer change
  • A documented, shadowed handover
  • For partner engagements

You own everything

  • All data is yours
  • All models trained on your data are yours
  • All source code is yours from the first commit
  • We retain no rights post-engagement
By industry

We understand your world's rules.

A premium modern hospital interior, deep navy with warm light

Healthcare

HIPAA-bound from the first commit. We sign Business Associate Agreements, enforce a PHI boundary in code, and run inference only on BAA-eligible models. The protections travel with the data, not with a policy document.

An elegant private law-firm library, deep navy with warm light

Legal

Privilege and retention, handled deliberately. Tenant isolation at the database, access scoped to the matter, and an immutable audit trail of who saw what and when, so ethical walls are provable, not promised.

A sophisticated financial trading floor at night, deep navy with warm light

Finance

Access control, data residency, and a complete, queryable audit log. Controls are enforced at the database and the application boundary, and every sensitive action leaves an entry, so oversight has something to read.

Procurement FAQ

The questions your procurement team asks.

Delivered under NDA within one business day

Bring it to your legal team.

Request our HIPAA compliance brief, a sample BAA, or our control documentation. We respond within one business day.

HIPAA brief and sample BAA
Control documentation
Under NDA

Agentic Systems · AI Agents · Custom Software

The architecture and controls behind these commitments live on our security page.Security architecture