Security & Trust
Upstream Data is built on a zero-PHI architecture. Here is what that means in practice.
Zero PHI — Architectural guarantee
No real patient records enter our synthesis pipeline. Ever.
All datasets are generated from statistical priors, CARC/RARC-informed denial structures, payer-behavior rule models, and specialty-specific claim patterns. They are not derived from real claims.
This is an architectural constraint, not a policy. There is no code path that ingests real patient data into the synthesis process.
Encryption in transit
All traffic served over TLS 1.3. HTTP connections redirect to HTTPS. HSTS enforced.
Secure delivery
Preview artifacts are delivered through controlled, revocable access paths. No indefinite public download links.
Access control
Waitlist and preview-partner data is accessible only to Upstream personnel with a need-to-know. Audit logs are retained.
Dependency hygiene
Dependabot monitors all dependencies for CVEs. Critical vulnerabilities patched within 72 hours.
Preview access and licensing
Public samples: Publication-reviewed sample artifacts are distributed only after the public/private gate approves the artifact, license, and row limits.
Private preview: Access is manually approved, revocable, and intended for evaluation, product development, workflow QA, and design-partner feedback. Redistribution of raw files is prohibited.
Commercial release: Enterprise certification, SLA-backed delivery, and broad redistribution rights are reserved for a later commercial release after legal/operator approval.
Security questions? Email security@upstream.cx. For the security posture of the Upstream Care Intelligence Platform (SOC 2, HIPAA, BAA), see upstream.cx/security ↗.