Security, Privacy, & Compliance

Security and privacy is a core value of Codex Health’s mission to improve patient health outcomes in a cost-effective manner. All technology solutions are designed with a high degree of respect for user security, privacy, and HIPAA compliance.

Codex Health is SOC2 Type II certified and has an independent third-party HIPAA Compliance Attestation. The SOC2 Report and HIPAA attestation is available upon request:

HIPAA Compliance Officer

Codex Health has appointed a Security and Privacy Officer. Feel free to contact our Compliance Officer if you have any questions or concerns about Codex’s policies or practices:
Zane Silver –
170A University Avenue
Palo Alto, CA 94301


Codex does not provide medical care and is not a Covered Entity under HIPAA (US Health Insurance Portability and Accountability Act).

Codex Health is considered a HIPAA Business Associate to our healthcare provider partners.
Codex manages all consumer health information (CHI) and electronic protected health information (ePHI) in compliance with its Business Associate Agreements with its Covered-Entity partners.

The patient data may be anonymized - in alignment with the the HIPAA Privacy Rule guidelines - such that original data cannot be traced back to an individual follows. Anonymized ePHI may be retained indefinitely for product and research purposes.

Infrastructure Security

Codex uses Google Cloud Platform (GCP) to host our applications. We make full use of the security products embedded within the GCP ecosystem: Secret Manager, Security Command Center, and more. In addition, we deploy our application using containers and functions run on GCP’s fully-managed serverless platform - meaning we typically do manage the server instances in production.

Data Security

Codex encrypts all data at rest and in transit for all of our customers. We use Google-managed cryptographic keys, using the same hardened key management systems that Google uses for its own encrypted data. In line with industry best-practices, we enable and audit all data access requests within our GCP infrastructure and applications.

Data Locality

Codex is based in the US. We store and process your data in the United States in multiple GCP Locations.

Application Security

Codex regularly engages some of the industry’s best application security experts for third-party penetration tests. Our penetration testers evaluate our running application, the deployed environment, and authentication mechanisms. Codex also uses use a high-quality automated developer security platform to monitor and detect software security vulnerabilities in real-time.

Third-Party Audit

Additionally, Codex undergoes regular, independent third-party audits. SOC2 Reports & HIPAA Attestations are available to healthcare provider customers via request:


Codex has obtained the following compliance certifications:

In the future, the company may receive the following certifications

Please note that Codex’s current business scale excludes the company from various US state laws (i.e. CCPA) regarding state controls and requirements. Additionally, Codex Health does not conduct business and prohibits the use of our services outside the United States. The company operates outside of the EU and the jurisdiction of GDPR regulations.

Contact Us

If you have any questions or concerns about Codex’s security and compliance, please contact us at

HIPAA badgeSOC badge