Halley is built for regulated workflows: encrypted everywhere, scoped to approved data, source-linked and auditable, hosted in the U.S. with a SOC 2 compliant provider — and honest about what HIPAA-capable means.
The same controls that let us serve healthcare and regulated operations apply across every deployment.
Data at rest secured with AES-256; data in transit protected via TLS 1.2/1.3 over encrypted channels.
MFA on critical systems, role-based access (RBAC), and regular access reviews as roles change.
Assistants are scoped to approved sources; your content is never used to train shared models.
Continuous monitoring, comprehensive logs for forensics, and periodic security audits.
Hosted in U.S. data centers operated by Rackspace®, a SOC 2 compliant provider.
A structured plan to contain and resolve incidents, with post-incident review and continuous improvement.
What this means: Public demos, marketing assistants, and standard lead-capture forms are not intended to collect PHI. When PHI is in scope, Halley runs as a scoped custom implementation with a defined boundary, approved vendors and subprocessors, appropriate agreements (including BAA coverage), and documented safeguards before launch.
HIPAA scope depends on the deployed environment, data-handling rules, vendor contracts, BAA coverage, access controls, retention policy, monitoring, and operating procedures. We describe healthcare work as HIPAA-capable custom implementation rather than blanket HIPAA compliance for every deployment — because that's the accurate description.
Talk to our team about controls, BAAs, and deployment boundaries for your environment.