How Sydra handles protected health information.

How Claude via Amazon Bedrock handles your PHI.

Sydra runs on Claude via Amazon Bedrock. Claude is contractually barred from training on your PHI, and Bedrock is covered under our AWS Business Associate Agreement. Your claim data is processed inside the same HIPAA aligned boundary as the rest of your workflow.

AWS Bedrock is a HIPAA eligible service. AWS's HIPAA BAA covers Amazon Bedrock when used in the context of a covered healthcare workload. Sydra operates within that BAA scope.

When Sydra generates an IDR draft from your operative note: the operative note is processed by Claude via Amazon Bedrock. PHI in that document stays inside the AWS HIPAA eligible service boundary. No PHI is transmitted to Anthropic's systems or any other third party during generation. No data is used to train the Claude model or any other model.

Infrastructure and encryption.

• →Hosting: Sydra production workloads run on AWS infrastructure in US regions.
• →Encryption at rest: Documents are stored in Amazon S3 with AES 256 server side encryption. Keys managed through AWS Key Management Service (KMS).
• →Encryption in transit: All data between your browser and Sydra's servers is transmitted over TLS 1.2 or higher.
• →Document access: Documents aren't accessible through persistent public URLs. Retrieval uses signed URLs with short expiry windows (minutes, not days).
• →Database: PHI is stored with row level security. Each practice has a unique tenant identifier. Queries are scoped to the authenticated practice's tenant by default.

Access control and isolation.

Within your practice: Role based access control. You define which staff members can view, draft, approve, or export. Permissions are granted explicitly, not inherited by default.

Between practices: Strict tenant isolation enforced at multiple layers: application logic, API authorization, database row level security, and audit logging.

Within Kronos Health: Software engineering team access is governed by internal HIPAA training. Kronos Revenue RCM team access to PHI only for practices using Sydra + Kronos Support. Leadership access for quality review and escalated cases. No PHI accessible to sales or marketing without an operational need.

Audit logging.

Every log entry captures: user name, email, user ID, timestamp (UTC to the second), action performed, record affected (submission ID, document ID), IP address, session identifier. Logs are available to your account administrator on request.

Business Associate Agreement.

A BAA is available for all covered entities and business associates using Sydra to process PHI. The BAA is executed during contracting. What the BAA covers: permitted uses and disclosures of PHI, our obligation to safeguard PHI, breach notification timelines (60 day notification per HIPAA), your right to audit our compliance, data return or destruction on termination, subprocessor obligations.

If you want to review the BAA template before booking a demo, email sales@sydrahealth.com. We send it the same business day.

Incident response.

Documented incident response procedures covering detection, escalation, containment, recovery, and customer notification. If an incident involves your PHI: We notify you per the timeline in your BAA. We haven't had a reportable incident involving customer PHI.

Requesting security documentation.

Available to qualified prospects during evaluation: BAA template, security one pager, subprocessor list (AWS, Stedi, ModMed, and others in scope), AWS Bedrock HIPAA eligibility documentation, SOC 2 report under NDA.

Request: email sales@sydrahealth.com with your compliance contact copied. Response within one business day.