Security
Tenant isolation, MFA support, RBAC, audit logs, CSRF protection, CSP, and secure upload controls are part of the platform baseline.
Security overviewTrust, privacy, and security without the mystery layer.
PointMintz is preparing for SOC2 Type I while keeping the current truth visible: product controls and evidence paths are built, HIPAA-covered signup is open with controls active, and formal compliance claims wait for completed evidence and auditor work.
Privacy
Customer export, deletion, correction, processing restriction, DPA request flow, and sub-processor notice are wired into the product.
Privacy policyData Processing
Tenants can request the DPA package and review the processing, transfer, retention, and deletion summary before contract execution.
DPA summarySub-processors
The current vendor list covers hosting, communications, payments, DNS, and optional integrations, with material-change notice.
Vendor listSOC2
Readiness controls, policy docs, risk register, vendor risk review, and evidence packet tooling are in place.
Readiness onlyHIPAA
HIPAA-covered self-serve signup is unlocked while category safeguards, consent, audit, encrypted clinical notes, and operational evidence controls remain active.
HIPAA readiness Signup unlockedWhat we do not claim yet
- PointMintz does not claim SOC2 certification or Type I attestation until an auditor completes the work.
- PointMintz does not market tenants as HIPAA compliant without required BAAs, encryption evidence, audit-log evidence, and counsel-approved claims.
- PointMintz does not use retired GitHub Actions as launch evidence in the current local-first topology.