Trust at SoberLab

Security built for the most sensitive records in care.

SoberLab protects resident health information and substance use disorder records with enterprise-grade security, HIPAA compliance, and 42 CFR Part 2 protections — so your team can focus on recovery, not risk.

HIPAA
Business associate
42 CFR Part 2
SUD records
SOC 2 Type II
Independently audited
Encrypted
In transit & at rest
01

How we protect your data

Layered controls across compliance, access, encryption, and monitoring — each one independently audited.

HIPAA & Part 2 compliant

Resident health information and substance use disorder records are handled under HIPAA and 42 CFR Part 2, with a signed BAA and QSOA on file.

Role-based access

Granular, administrator-defined permissions ensure each staff member sees only the records their role requires — down to the field level.

Encryption everywhere

Industry-standard TLS protects data in transit and AES-256 at rest, with keys managed in a dedicated, access-controlled key service.

Immutable audit trails

Every access, edit, and disclosure is logged to a tamper-evident trail, giving you a complete record for investigations and audits.

Network segmentation

Part 2 records live behind a separate segmentation boundary, isolating the most sensitive data from the rest of the platform.

Backup & recovery

Encrypted, geographically redundant backups with tested recovery procedures keep your operations resilient against data loss.

02

Purpose-built for 42 CFR Part 2

Substance use disorder records carry protections beyond HIPAA. SoberLab keeps Part 2 records behind a dedicated segmentation boundary, with consent tracking and redisclosure controls woven into every workflow.

Consent capture and tracking tied to each disclosure
Redisclosure warnings carried with exported records
Segmented storage isolating SUD data from general PHI
Audit logging of every view and release of a Part 2 record

Consent, not just access

Every disclosure of a protected record is bound to a documented consent and logged in an immutable audit trail — so you can prove the chain of custody, not just assert it.

03

Certifications & commitments

SOC 2 Type II
Annual third-party audit
HIPAA Security Rule
Administrative, physical, technical safeguards
42 CFR Part 2
QSOA + consent management
BAA with every customer
Signed before go-live
24/7 monitoring
Continuous threat detection
US data residency
99.9% uptime target

Request a BAA or our security packet

We sign a Business Associate Agreement with every customer and the 42 CFR Part 2 QSOA where applicable. Email security@soberlab.io for our SOC 2 report, BAA, and subprocessor list.