AutoICD API

Security

AutoICD API is built to handle sensitive clinical data securely. Every architectural decision prioritizes data minimization — we process what you send and keep nothing.

HIPAA CompliancePHI De-identification

Security Architecture

Defense in depth across every layer of the stack.

Network Layer

  • TLS 1.2+ encryption on all connections
  • HTTPS-only — plaintext HTTP is rejected
  • Deployed on dedicated, isolated compute instances
  • Edge network for frontend with DDoS protection

Authentication

  • API key required on every request
  • Keys hashed with SHA-256 at rest
  • Instant key rotation and revocation from dashboard
  • Rate limiting per key to prevent abuse

Data Processing

  • Clinical text processed entirely in memory
  • No disk writes, no database storage of PHI
  • Request payloads discarded after response
  • ML models loaded read-only — never modified by user data

Logging & Monitoring

  • Request metadata logged (timestamp, status, latency) — never PHI
  • No clinical text in application logs
  • No request body caching or replay capability
  • Error traces sanitized to exclude user data

Data Flow

What happens to your data at each step of a request.

1

Your system sends clinical text over HTTPS

2

API key is validated; request is rate-checked

3

Text is processed in memory by ML pipeline

4

Structured results (codes, entities) are returned

5

All in-memory data is released — nothing persists

What We Don't Do

Store clinical text or PHI in any database

Log request bodies or response bodies

Use your data for model training or fine-tuning

Share data with third parties

Cache or replay previous requests

Retain data after the response is sent

Infrastructure

ML Backend: Runs on dedicated VMs in isolated compute environments. Models are loaded into memory at startup and serve inference requests without any disk I/O for user data.

Frontend & API Gateway: Served via an edge network with automatic TLS, DDoS protection, and global CDN distribution.

Database: Account data (emails, hashed API keys, usage counts) is stored in a managed database. No clinical text or PHI is ever written to the database.

Responsible Disclosure

If you discover a security vulnerability, please report it to info@autoicdapi.com. We take every report seriously and will respond promptly.

Questions about security?

Read our HIPAA compliance page or contact us for details.

Get Free API KeyAPI Documentation