HIPAA
Protected health information handled the right way: business associate agreements, least-privilege access, audit logging, and encryption in transit and at rest. Proven across healthcare clients like Allina Health.
Trust & Security
Tarmac is SOC 2 Type II audited and builds software for regulated industries every day. We are fluent in HIPAA, HITRUST, ISO 27001, and PCI DSS, and our engineers build against the OWASP Top 10 from the first commit, not the final audit.
Our attestation
Tarmac maintains a SOC 2 Type II attestation: an independent auditor examines our security, availability, and confidentiality controls over time, not just on a single day. We can share the current report under NDA.
How we build securely
Compliance paperwork proves a point in time. Secure engineering keeps you safe between audits. We do both, and the engineering comes first.
Our engineers treat the OWASP Top 10 as a baseline, not a checklist at the end. Injection, broken access control, and the rest are designed out during the build, then verified.
Static analysis, dependency and secret scanning, and AI-assisted security review run in CI on every change. Findings block the merge instead of waiting for an audit.
Peer review on every pull request, least-privilege access, secrets management, encryption in transit and at rest, and infrastructure as code so the secure configuration is the only configuration.
Security is not handed to a separate team at the end. The senior engineer accountable for a feature is accountable for how it holds up, which is exactly how the Tarmac 10 is meant to work.
Frameworks we build to
We meet your systems where your industry requires. These are the frameworks our teams work within most, with real delivery behind them.
Protected health information handled the right way: business associate agreements, least-privilege access, audit logging, and encryption in transit and at rest. Proven across healthcare clients like Allina Health.
For teams that need HITRUST alignment on top of HIPAA, we map the controls and build to them so your certification effort starts from a system that already fits.
Information security management aligned to ISO 27001 controls: risk assessment, access management, change control, and the documentation an ISMS audit expects.
Cardholder data environments segmented, tokenized, and built to PCI DSS. Proven on high-volume payment platforms, including a global Swiss payments provider.
Data privacy by design for EU and California users: lawful basis and consent, data minimization, and the right to access and erasure engineered into the product, not bolted on.
Risk-based security using the NIST Cybersecurity Framework, and the NIST AI Risk Management Framework for AI systems, so governance keeps pace with what we ship.
Regulated by default
Healthcare, financial services, and payments are where the margin for error is smallest. That is where a lot of our work lives. We adapt to your access model, your review gates, and your auditors, and we keep shipping without cutting the corners that matter.
Questions, answered
Yes. Tarmac maintains a SOC 2 Type II attestation, which means an independent auditor evaluates our controls across a period of time rather than at a single point. We can provide the current report under NDA.
We are fluent in HIPAA, HITRUST, ISO 27001, and PCI DSS, and we build to privacy regimes like GDPR and CCPA and risk frameworks like the NIST CSF and NIST AI RMF. We engineer your systems to meet the standard your industry and auditors require.
Regularly. Our teams have shipped and supported software in healthcare, financial services, and payments, where compliance is a requirement to operate. We are comfortable inside audited, controlled environments and adjust our access and process to fit yours.
Engineers build against the OWASP Top 10, and every change runs through static analysis, dependency and secret scanning, and AI-assisted security review in CI, plus peer review. Security is part of delivery, not a phase we bolt on before launch.
Yes. We routinely sign business associate agreements for HIPAA work and data processing agreements for GDPR and CCPA, and we align to your security and access requirements as part of onboarding.
Tell us about your environment and the frameworks you answer to. We will bring a senior team that ships fast and keeps you compliant while it does.