Security at MaveRx

We protect your practice's data with the same rigor we apply to your rebate programs. Security is built into our architecture, processes, and culture — not added as an afterthought.

Last Updated: June 1, 2025

TLS 1.2+ in Transit

AES-256 at Rest

RBAC & MFA

SOC 2 Infrastructure

Encrypted Backups

Audit Logging

Healthcare data is sensitive by nature. MaveRx Services implements layered security controls across our technology stack, administrative processes, and workforce to ensure that your practice's information is handled with the care it demands.

This page summarizes our security posture. If you have specific security requirements or questions related to an enterprise engagement, please contact us directly.

Security Controls

Encryption

All data in transit is encrypted using TLS 1.2 or higher
Data at rest is encrypted using AES-256
Passwords are hashed using bcrypt with per-user salts — never stored in plaintext
Database connections require encrypted channels

Access Controls

Role-based access control (RBAC) limits data access to authorized personnel only
Admin systems require multi-factor authentication (MFA)
Access to client data is logged with audit trails
Principle of least privilege applied across all systems
Immediate access revocation procedures for departing personnel

Infrastructure

Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification
Production environment is isolated from development and staging environments
Database backups are automated, encrypted, and tested regularly
Intrusion detection and anomaly monitoring are active
DDoS protection and rate limiting are enforced at the network layer

Operational Security

Security patches are applied within defined SLAs based on severity
Dependencies are monitored for known vulnerabilities
Incident response procedures are documented and tested annually
Employee security training is conducted at onboarding and annually
Acceptable use policies govern all access to systems containing client data

Data We Handle & How

A summary of the categories of data we process, where it lives, and how long we retain it.

Assessment Intake Data

What

Practice name, contact info, estimated dispensing volume, organization type

Where

Encrypted database (Supabase / PostgreSQL)

Retention

Duration of business relationship + 3 years

Operational Engagement Data

What

Dispensing records, formulary data, rebate submissions (per BAA)

Where

Encrypted at rest and in transit; access-controlled by role

Retention

Per BAA terms; typically 6 years per HIPAA requirement

Website Analytics

What

Anonymized visitor behavior (pages, session duration)

Where

Analytics platform; no PII

Retention

Rolling 24 months

Incident Response

MaveRx maintains a documented incident response plan that covers detection, containment, investigation, notification, and remediation of security events. Key elements of our process:

Security incidents are logged and triaged by severity within 4 hours of detection
Affected clients are notified of confirmed data breaches within required regulatory timeframes (HIPAA: 60 days; we target faster notification)
Root cause analysis is conducted after significant incidents and controls are updated accordingly
Incident response procedures are reviewed and tested at least annually

Reporting a Security Issue

If you believe you have discovered a security vulnerability or incident involving MaveRx systems, please contact us immediately. We take all reports seriously and will respond promptly to investigate and remediate confirmed issues.

Security Contact

allison@maverxservices.com

Subject line: Security Report

Please provide sufficient detail to reproduce the issue. We request responsible disclosure — do not publicly disclose vulnerabilities until we have had an opportunity to investigate and respond.

Back to Home