Built to Protect Your Compliance Data
Polestar GRC is a compliance readiness platform. Here is exactly how we protect the data you entrust to us.
Hosting & Infrastructure
- Cloud provider: Amazon Web Services (AWS), US regions only
- HIPAA-eligible services: We use AWS services that are covered under the AWS HIPAA BAA, including RDS, S3, and EC2
- Data residency: All customer data is stored and processed in the United States
- Availability: Multi-AZ deployment with automated failover for database services
Encryption
- In transit: TLS 1.2+ enforced on all connections; TLS 1.3 preferred
- At rest: AES-256 encryption for all stored data including database volumes and S3 objects
- Secrets management: API keys, credentials, and signing secrets are stored in environment-level secret stores, never in source code
Access Controls
- Role-based access control (RBAC): Users are assigned roles (Admin, Member) with least-privilege permissions enforced at the API layer
- Multi-factor authentication (MFA): Available for all accounts; enforced for admin roles
- Session management: Signed session cookies with configurable expiry; sessions invalidated on logout
- Audit logging: All destructive and sensitive operations are logged with user, timestamp, and IP address
Subprocessors
We use the following third-party subprocessors to deliver the Polestar GRC service. Each is vetted for HIPAA eligibility or data-handling compliance where applicable.
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, database, file storage | United States |
| Stripe | Payment processing (PCI DSS compliant) | United States |
| Transactional email provider | System notifications and reminders | United States |
| Analytics service | Privacy-focused usage analytics (no PII) | United States |
Business Associate Agreement (BAA)
A Business Associate Agreement is provided as standard with all paid plans and is executed during onboarding. If you require a BAA before subscribing, contact us at [email protected].
Our BAA covers the processing of any incidental PHI that may be entered into the platform during the course of your compliance work. We recommend that you do not enter actual patient data into the platform — our questionnaires collect information about your security controls, not patient records.
Incident Response & Breach Notification
- Detection: Security event logging and alerting on anomalous access patterns
- Notification SLA: In the event of a confirmed breach affecting your data, we will notify you within 72 hours of discovery, consistent with HIPAA Breach Notification Rule requirements (45 CFR §164.410)
- Documented procedures: Written incident response plan reviewed annually
SOC 2 Report
Polestar GRC is working toward a SOC 2 Type II examination. When available, the report will be shared under NDA with enterprise customers and prospects upon request.
To request a copy of our current security documentation or to schedule a security review call, contact [email protected].
Questions About Our Security Practices?
Our team is happy to answer security questionnaires, review our controls, or discuss your specific compliance requirements.
Contact Us →