Documentation that stands up to a compliance audit

Stoneline Data supports HIPAA-compliant data custody through the following documented controls:

• AES-256 encryption at rest using AWS KMS customer-managed keys
• TLS 1.2 or higher enforced for all data transmission
• Dedicated IAM user per client with minimum necessary access permissions
• MFA required on all privileged accounts
• S3 access logging with 90-day retention in isolated log bucket
• CloudWatch anomaly alerting for unusual access patterns
• Documented workforce access controls and training
• Incident response and breach notification procedures per 45 CFR 164.400
• Data retention enforcement not less than 6 years from creation or last use

Business Associate Agreement

A Business Associate Agreement (BAA) is a written contract between a covered entity (such as a medical practice) and a business associate (such as Stoneline Data) that describes the permitted uses and disclosures of PHI, the obligations and activities of the business associate, and the safeguards the business associate will implement.

Under HIPAA, a covered entity may only share PHI with a business associate if a valid BAA is in place before any PHI is exchanged. Failure to execute a BAA before sharing PHI exposes the covered entity to significant regulatory liability.

Our BAA covers the following:

• Specific permitted uses of PHI by Stoneline Data (storage, backup, integrity verification, and reporting only)
• Prohibition on use or disclosure of PHI for any purpose beyond the stated service scope
• Safeguards Stoneline Data implements to protect PHI
• Reporting obligations in the event of a breach or security incident
• Return and destruction procedures upon termination of the agreement
• Sub-business associate obligations (AWS and GCP both maintain signed BAAs available on request)

For educational institutions using Stoneline Data to archive student records or administrative data, we implement:

• Encryption at rest and in transit for all stored records
• Access controls limiting data access to authorized personnel only
• Documented retention and deletion policies aligned to your institution's schedule
• Audit logging of all access events
• Contractual data use restrictions prohibiting use of student data for any purpose beyond storage and backup

General Data Governance

Outside of specific regulatory frameworks, many organizations need to demonstrate documented data governance to satisfy internal audit requirements, insurance carriers, or client contracts. Stoneline Data supports these needs through:

• Signed custody agreement defining scope, encryption standard, retention terms, and liability boundaries before services begin
• Monthly written verification reports that serve as attestation of backup status and integrity
• Documented offboarding process with written confirmation of data delivery and deletion
• Defined data processing sub-processors (AWS and GCP) with links to their compliance documentation
• Incident response procedures with defined notification timelines

If your organization requires a specific security questionnaire, vendor assessment, or evidence of controls, contact us and we will provide documentation accordingly.

Key Compliance Terms Defined

PHI

Protected Health Information. Any individually identifiable health information that relates to the past, present, or future physical or mental health of an individual or the provision of or payment for their care. This includes names, dates, geographic data, phone numbers, Social Security numbers, medical record numbers, and any other information that could identify a patient.

Audit Trail

A chronological record of all actions taken in connection with data: who accessed it, when, from where, and what they did. An immutable audit trail cannot be modified or deleted, making it suitable for regulatory review. Stoneline Data generates audit trails from S3 access logs and GCP audit logging, both written to isolated storage that is separate from your primary data.

Retention Policy

A documented schedule specifying how long data must be retained before it may be destroyed. Retention requirements vary by regulation and data type: HIPAA requires medical records to be retained for at least 6 years from creation or from the last date of service. Stoneline Data enforces retention policies at the bucket level, preventing deletion of objects before the retention period has elapsed.

Business Associate

Any organization or individual that performs functions or activities involving the use or disclosure of PHI on behalf of a HIPAA covered entity. Cloud storage providers and data custodians are business associates when handling PHI. Stoneline Data operates as a business associate and documents that role formally in a signed BAA.

Encryption at Rest vs. In Transit

Encryption at rest protects data stored on disk or in a storage system from unauthorized access if the storage medium is physically accessed. Encryption in transit protects data moving across a network from interception. Regulatory standards such as HIPAA require both. Stoneline Data implements AES-256 encryption at rest on all storage buckets and enforces TLS for all data transmission.

Minimum Necessary

A HIPAA principle requiring that access to PHI be limited to the information needed to perform a specific function. Stoneline Data implements this by scoping each IAM user's permissions to their specific bucket only, with no permissions granted to other client buckets, administrative resources, or cross-account data.

Getting Started with a Regulated Plan

Contact us with a brief description of your regulatory environment, data type, and volume. We will confirm which controls apply, send you a draft custody agreement and BAA if applicable, and provision your account only after all documentation is signed by both parties.

Quotes for compliance-tier plans are typically returned within one business day.