Security Overview

Effective date: January 1, 2025 Last updated: January 1, 2025

Security by architecture. The foundation of ReveIQ's security is that we do not collect Protected Health Information and we do not store your calculations. What we don't collect, we cannot lose. This is not an accident of our product — it is the intentional design choice that makes ReveIQ safer than comparable tools by default.

1. Our core security principle: minimize data exposure

Traditional revenue cycle software requires transmitting patient-identifiable data into an external system, creating risk surface area that must be defended through encryption, access controls, audit logs, and incident response. ReveIQ removes the risk rather than defending against it:

No PHI is ever transmitted to ReveIQ servers. Our tools process inputs like DRG codes, denial codes, dollar amounts, and aggregate metrics — not patient names, dates of birth, medical record numbers, or any other identifiable patient data.
Calculations run in your browser. When you use a ReveIQ calculator, the math happens locally on your device. The values you enter do not leave your browser.
No account is required to use any of our free tools. There is no login to compromise, no password to reset, no session token to steal.
Your reference lookups are not tracked. We do not log which DRG codes you search or which denial codes you look up.

2. How the Service is hosted and delivered

2.1 Static site architecture

ReveIQ's website is built as a static site, meaning the HTML, CSS, and JavaScript files are served directly to your browser without a backend database query or server-side user state. This architecture has inherent security benefits:

There is no database of user data to be breached
There is no authentication system to compromise
There is no server-side code that can be exploited
The attack surface is dramatically reduced compared to typical SaaS applications

2.2 Encryption in transit

All traffic to and from reveiqai.com is encrypted using industry-standard TLS (HTTPS). This protects information exchanged with our servers (including email submissions to the waitlist) from interception over the network.

2.3 Hosting provider

ReveIQ is hosted on a commercial-grade static site hosting platform that provides DDoS protection, global content delivery, automatic TLS certificate management, and infrastructure-level security controls.

No PHI collected

Tools operate on DRG codes, denial codes, and aggregate metrics. Patient-identifiable data is never transmitted to or stored by ReveIQ.

Client-side calculation

All calculations run in your browser. Your inputs and outputs do not leave your device.

HTTPS everywhere

All traffic encrypted with industry-standard TLS. No unencrypted data transmission.

Minimal data collection

Only the email address you voluntarily submit and standard anonymized analytics. Nothing more.

No tracking of calculations

We do not log which codes you search, which DRGs you compare, or any other usage patterns tied to your identity.

No third-party selling

We do not sell or share your email or other information with advertisers, data brokers, or marketing partners.

3. HIPAA and the "no BAA required" question

A common question from prospective institutional customers: "Do we need a Business Associate Agreement (BAA) to use ReveIQ?"

Under HIPAA, a Business Associate Agreement is required when a vendor creates, receives, maintains, or transmits Protected Health Information on behalf of a covered entity. ReveIQ's architecture is designed to avoid being a Business Associate:

We do not create, receive, or maintain PHI
Our tools are not designed to handle PHI
We instruct users not to input PHI (see our Terms of Service)
No calculation data is transmitted to ReveIQ servers

As a result, a BAA is generally not required to use ReveIQ's free tools in a typical institutional setting — similar to how a BAA is not required to use a general-purpose spreadsheet or calculator.

However, your organization's compliance team makes the final determination based on your specific policies and how you plan to use the tools. We recommend that institutional users review ReveIQ with their compliance officer before deployment across a department.

4. What information we do hold, and how we protect it

The limited information we do hold — primarily waitlist email addresses and anonymized analytics — is protected through:

Encryption in transit via HTTPS for all web traffic
Encryption at rest within our hosting platform and email service provider
Access controls limiting administrative access to the minimum set of authorized personnel
Reputable service providers for email delivery, analytics, and hosting — each with their own documented security practices
Secure credential management for any administrative access to ReveIQ systems

5. Incident response

In the unlikely event of a security incident affecting information we hold:

We will investigate promptly upon discovery
Affected users will be notified consistent with applicable law
We will work to contain, remediate, and prevent recurrence
Where required by law, we will notify relevant regulatory authorities

To report a suspected security issue or vulnerability, contact security@reveiqai.com.

6. Future security posture

As ReveIQ grows and adds paid subscriptions, team features, and account-based functionality, our security posture will evolve accordingly. Anticipated future enhancements include:

Formal SOC 2 Type II attestation when account-based features launch
Multi-factor authentication for account holders
Role-based access controls for team accounts
Audit logging for account administrative actions
Formal penetration testing and vulnerability management programs

We will update this Security Overview as these capabilities are implemented.

7. Contact

For security-related questions or to report a vulnerability, contact us at:

security@reveiqai.com
ReveIQ · reveiqai.com

Important. This Security Overview describes our current practices as of the effective date. It does not constitute a security audit, SOC 2 attestation, or formal compliance certification. Institutional customers should perform their own due diligence and consult their compliance team before deploying ReveIQ within their organization.