Security & Compliance

Built for Healthcare Security Standards

NyxCodex is designed with hospital-grade security considerations, zero PHI storage, and a compliance architecture aligned with HIPAA, Joint Commission, and CMS requirements.

No PHI Stored TLS 1.3 Encryption Firebase BAA Available HIPAA-Aware Architecture Role-Based Access Control

No Protected Health Information Is Ever Stored

NyxCodex is a staff training platform, not a clinical system. It does not collect, process, or store any patient data, medical records, or Protected Health Information (PHI) as defined under HIPAA 45 CFR §160.103.

The only personal data stored is staff user accounts: name, work email address, training progress scores, and completion timestamps. This data is isolated per organization and never shared across tenants.

Why this matters: Because NyxCodex stores no PHI, it does not trigger HIPAA's Covered Entity obligations on its own. However, Google Firebase (our backend) offers a Business Associate Agreement (BAA) for organizations that require one as a matter of policy.

Data Encrypted In Transit and At Rest

🔒

TLS 1.3 in Transit

All communication between users and NyxCodex servers uses TLS 1.3 encryption. HTTP connections are automatically redirected to HTTPS.

🗄

Firebase at Rest

Training data is stored in Google Firebase Realtime Database and Firestore, which encrypt data at rest using AES-256 by default.

🌐

Multi-Tenant Isolation

Each organization's data is stored under a unique org path in Firebase. Firebase Security Rules prevent any cross-organization data access.

🔐

Auth via Firebase

User authentication is handled by Google Firebase Authentication. Passwords are never stored in plaintext — Firebase uses bcrypt hashing.

Role-Based Access with Org Isolation

NyxCodex implements a three-tier role model enforced at both the application and database levels:

Firebase Security Rules enforce that no user can read or write data outside their organization's path (orgs/{orgId}/), regardless of role.

Regulatory Alignment

Standard / RequirementStatusNotes
HIPAA — No PHI storage ✓ Active Platform stores no patient data by design
Firebase BAA availability ✓ Available Provided by Google for Firebase enterprise customers
TLS 1.3 encryption ✓ Active Enforced on all connections via GitHub Pages / Vercel
Role-Based Access Control ✓ Active Staff / Admin / Owner roles with DB-level enforcement
Audit Logging ✓ Active Login, completion, quiz, and admin events logged per user
Joint Commission Staff Training ✓ Aligned Content aligned with EC.04.01.01 and HR.01.05.03
CMS CoP § 482.13(f) Restraint/Seclusion ✓ Covered Dedicated module on least-restrictive interventions
SOC 2 Type II ◆ Roadmap Planned for 2027 as platform scales to enterprise
HITRUST CSF ◆ Roadmap Under evaluation for hospital enterprise tier
Penetration Testing ◆ Roadmap Scheduled for Q3 2027 with third-party firm

Security Incident Procedures

In the event of a security incident affecting training data, NyxCodex commits to:

To report a suspected security issue: security@nyxcollectivellc.com

Third-Party Services Used

VendorPurposeData Processed
Google FirebaseAuthentication, database, storageEmail, name, training progress scores
Google Gemini APIAI scenario grading (optional)Anonymized scenario text only — no user identifiers
StripePayment processingBilling data only — not stored in NyxCodex systems
VercelAPI serverless hostingRequest metadata only (no user data persisted)
ElevenLabsAI voice synthesis for Professor VanceStatic script text only — no user data
GitHub PagesStatic asset hostingNo user data processed

Questions about security for your organization?

Our team is happy to provide a security review packet, answer IT questionnaires, or arrange a technical call with your security team.

Request Security Review Packet