MessageFoundry ships a genuinely-built identity, access-control, and audit core — enforced in code, not just documented — and runs in a controlled, fail-closed posture. Just as important for a healthcare buyer: the security story is open. You can download a posture summary that rates every control by what's actually enforced, and request the full code-grounded review.
These controls are implemented and enforced in the running engine — among the stronger access-control stories in this product category for a pre-1.0 product.
Local accounts with argon2id password hashing and account lockout, plus Active Directory over LDAPS. The engine refuses to serve unauthenticated requests off loopback, and denies access when no auth is configured. (Kerberos / Windows SSO is experimental; MFA is on the roadmap.)
Role-based access control with fixed built-in roles, enforced on every engine and admin route, denying anything not explicitly granted — including per-channel data-scope confinement, so a user only ever sees the interfaces they're entitled to.
Opaque, server-side session tokens with idle and absolute timeouts and immediate revocation — no long-lived bearer secrets floating around.
A user-attributed, hash-chained audit log records who viewed, replayed, or acted on PHI — with a verification command that detects out-of-band edits. (Tamper-evidence, not prevention; integrity still rests on host/file access controls.)
Message bodies are encrypted with AES-256-GCM when a store-encryption key is set. We recommend pairing it with full-disk/volume encryption (BitLocker, LUKS) so everything at rest is covered.
Every received message is persisted with a recorded disposition before it's acknowledged — so your message counts always reflect the truth, and there's no quiet data loss to discover later.
Today's supported posture is a single, controlled host: the API binds to 127.0.0.1 and requires authentication, and the trust boundary is that localhost API and the host itself.
A few things you'd need before exposing PHI over a network are not built yet. We disclose them plainly; until they land, keep the engine on localhost or behind your own TLS proxy.
The API and MLLP are plaintext today (loopback posture). MLLP-over-TLS and API TLS are required before any off-host exposure. AD (LDAPS) and the SQL Server backend already use TLS.
Multi-factor authentication and an outbound destination allow-list — so a message can only ever be sent to a pre-approved endpoint.
Retention / purge enforcement, centralized log redaction, and a de-identification framework — so PHI doesn't accumulate indefinitely and never leaks into logs.
The strongest thing we can offer a CISO isn't a claim — it's the receipts. We publish a security & PHI posture summary — controls, compliance alignment, and deployment requirements, rated by what's enforced in code, not what's documented, gaps included — and a full, code-grounded control-by-control review is available on request.
The summary covers our controls, compliance alignment, and deployment requirements. The full code-grounded review is available on request.
Start with the code and the security review — then bring us your questions.
