Security at Roony

Reporting a Security Issue

If you discover a security vulnerability or have a security concern about the Roony platform, please report it to us immediately at security@roonyai.com. We take all reports seriously and will respond within 2 business days.

Responsible Disclosure

We ask that security researchers follow responsible disclosure practices:

• Report vulnerabilities to security@roonyai.com before disclosing them publicly.
• Provide sufficient detail for us to reproduce and fix the issue.
• Allow reasonable time for us to address the vulnerability before any public disclosure.
• Do not access, modify, or delete data belonging to other users.

HIPAA Compliance

Roony operates as a HIPAA-compliant Business Associate. We maintain Business Associate Agreements (BAAs) with all infrastructure and service providers that handle protected health information (PHI).

Infrastructure Security

• Encryption at rest: All data is encrypted at rest. PHI fields use additional application-level encryption.
• Encryption in transit: All connections use TLS.
• Access controls: Role-based access with organization-level data isolation.
• Audit logging: Comprehensive audit trail for all access to protected health information.
• Data retention: 7-year retention policy in compliance with HIPAA requirements.

Authentication

Secure sign-in with multi-factor authentication support. All API endpoints require authentication, and webhook endpoints use signature verification.

Questions

For general security questions, contact us at security@roonyai.com. For privacy-related inquiries, see our Privacy Policy.