NyxCodex™
NyxCodex is designed with hospital-grade security considerations, zero PHI storage, and a compliance architecture aligned with HIPAA, Joint Commission, and CMS requirements.
NyxCodex is a staff training platform, not a clinical system. It does not collect, process, or store any patient data, medical records, or Protected Health Information (PHI) as defined under HIPAA 45 CFR §160.103.
The only personal data stored is staff user accounts: name, work email address, training progress scores, and completion timestamps. This data is isolated per organization and never shared across tenants.
All communication between users and NyxCodex servers uses TLS 1.3 encryption. HTTP connections are automatically redirected to HTTPS.
Training data is stored in Google Firebase Realtime Database and Firestore, which encrypt data at rest using AES-256 by default.
Each organization's data is stored under a unique org path in Firebase. Firebase Security Rules prevent any cross-organization data access.
User authentication is handled by Google Firebase Authentication. Passwords are never stored in plaintext — Firebase uses bcrypt hashing.
NyxCodex implements a three-tier role model enforced at both the application and database levels:
Firebase Security Rules enforce that no user can read or write data outside their organization's path (orgs/{orgId}/), regardless of role.
| Standard / Requirement | Status | Notes |
|---|---|---|
| HIPAA — No PHI storage | ✓ Active | Platform stores no patient data by design |
| Firebase BAA availability | ✓ Available | Provided by Google for Firebase enterprise customers |
| TLS 1.3 encryption | ✓ Active | Enforced on all connections via GitHub Pages / Vercel |
| Role-Based Access Control | ✓ Active | Staff / Admin / Owner roles with DB-level enforcement |
| Audit Logging | ✓ Active | Login, completion, quiz, and admin events logged per user |
| Joint Commission Staff Training | ✓ Aligned | Content aligned with EC.04.01.01 and HR.01.05.03 |
| CMS CoP § 482.13(f) Restraint/Seclusion | ✓ Covered | Dedicated module on least-restrictive interventions |
| SOC 2 Type II | ◆ Roadmap | Planned for 2027 as platform scales to enterprise |
| HITRUST CSF | ◆ Roadmap | Under evaluation for hospital enterprise tier |
| Penetration Testing | ◆ Roadmap | Scheduled for Q3 2027 with third-party firm |
In the event of a security incident affecting training data, NyxCodex commits to:
To report a suspected security issue: security@nyxcollectivellc.com
| Vendor | Purpose | Data Processed |
|---|---|---|
| Google Firebase | Authentication, database, storage | Email, name, training progress scores |
| Google Gemini API | AI scenario grading (optional) | Anonymized scenario text only — no user identifiers |
| Stripe | Payment processing | Billing data only — not stored in NyxCodex systems |
| Vercel | API serverless hosting | Request metadata only (no user data persisted) |
| ElevenLabs | AI voice synthesis for Professor Vance | Static script text only — no user data |
| GitHub Pages | Static asset hosting | No user data processed |
Questions about security for your organization?
Our team is happy to provide a security review packet, answer IT questionnaires, or arrange a technical call with your security team.
Request Security Review Packet