Security

AutoICD API is built to handle sensitive clinical data securely. Every architectural decision prioritizes data minimization: we process what you send and keep nothing.

HIPAA CompliancePHI De-identification

Security Architecture

Defense in depth across every layer of the stack.

Network Layer

  • TLS 1.2+ encryption on all connections
  • HTTPS-only - plaintext HTTP is rejected
  • Deployed on dedicated, isolated compute instances
  • Edge network for frontend with DDoS protection

Authentication

  • API key required on every request
  • Keys hashed with SHA-256 at rest
  • Instant key rotation and revocation from dashboard
  • Rate limiting per key to prevent abuse

Data Processing

  • Clinical text processed entirely in memory
  • No disk writes, no database storage of PHI
  • Request payloads discarded after response
  • ML models loaded read-only - never modified by user data

Logging & Monitoring

  • Request metadata logged (timestamp, status, latency) - never PHI
  • No clinical text in application logs
  • No request body caching or replay capability
  • Error traces sanitized to exclude user data

Data Flow

What happens to your data at each step of a request.

1

Your system sends clinical text over HTTPS

2

API key is validated; request is rate-checked

3

Text is processed in memory by ML pipeline

4

Structured results (codes, entities) are returned

5

All in-memory data is released, nothing persists

What We Don't Do

Store clinical text or PHI in any database

Log request bodies or response bodies

Use your data for model training or fine-tuning

Share data with third parties

Cache or replay previous requests

Retain data after the response is sent

Infrastructure

ML Backend: Runs on dedicated VMs in isolated compute environments. Models are loaded into memory at startup and serve inference requests without any disk I/O for user data.

Frontend & API Gateway: Served via an edge network with automatic TLS, DDoS protection, and global CDN distribution.

Database: Account data (emails, hashed API keys, usage counts) is stored in a managed database. No clinical text or PHI is ever written to the database.

Responsible Disclosure

If you discover a security vulnerability, please report it to info@autoicdapi.com. We take every report seriously and will respond promptly.

Questions about security?

Read our HIPAA compliance page or contact us for details.

Get Free API KeyAPI Documentation