Trust Center
How we protect what we ask you to protect.
We ask clinics to trust us with their compliance posture and the systems that run their practice. This page is how we earn that trust โ by being specific about how we secure our own house.
Our security controls
The controls behind our team.
REAL Cyber runs the same caliber of controls inside our own environment that we recommend for the clinics we protect. Every team member uses phishing-resistant multifactor authentication, hardware-backed where the role requires it. Endpoint detection and response (EDR) runs continuously on every device that touches client work.
Access to client systems is least-privilege, time-bound, logged, and reviewed on a documented cadence. Privileged access requires a separate identity and additional controls. Production access changes are audited.
We segment our internal networks, encrypt client data in transit and at rest, and follow a published patch and vulnerability management schedule.
Compliance frameworks
Frameworks we follow.
REAL's security and compliance program is aligned to the NIST Cybersecurity Framework (NIST CSF), with control mappings to HIPAA for the clients where it applies. We use NIST CSF as the operational backbone because it's outcome-oriented and translates cleanly into the safeguards required by HIPAA, cyber-insurance carriers, and vendor security questionnaires.
Where a client is a HIPAA Covered Entity or Business Associate, we sign a Business Associate Agreement (BAA) and operate accordingly โ including the administrative, physical, and technical safeguards required by the HIPAA Security Rule.
Incident response & escalation
What happens when something goes wrong.
When an incident is identified โ by our monitoring, by you, or by a third party โ a named owner on our team coordinates the response: we triage it, work to contain it, and track it through to resolution. We keep you informed as things develop and follow up with a clear write-up of what happened, what we found, and what we changed to reduce the chance of a repeat.
For clients who want that depth, we can also build a formal incident-response plan โ defined severity levels, escalation paths, and communication expectations mapped to your practice โ as part of a broader security program.
If an incident may involve protected health information, we give you and your advisors the facts to act on: scope, timeline, and supporting documentation. The determination of whether a reportable breach occurred, and any required notifications to regulators or affected individuals, rest with you as the covered entity โ our role is to support that process with accurate information, not to make those calls on your behalf.
Vendor & subprocessor management
Who we trust, and how we manage them.
REAL maintains a documented inventory of vendors and subprocessors that touch client data or systems. Each is reviewed for security posture before onboarding and reviewed again on an annual cadence.
We require contractual commitments from vendors that handle PHI or other sensitive data โ including BAAs where applicable โ and limit data sharing to the minimum necessary for the service being provided.
No-PHI form policy
Why our website forms don't accept PHI.
The forms and booking calendar on this website are not HIPAA-compliant channels and we do not accept Protected Health Information (PHI) through them. This is intentional โ keeping PHI out of marketing systems dramatically reduces the surface area where it could be exposed.
If your practice needs to share PHI with us as part of an active engagement, we provide a secure channel after our first conversation. You will see this policy stated on every form on this site.
Certifications & compliance
Independently attested.
HIPAA Seal of Compliance
OSHA Compliance
REAL Cyber maintains the HIPAA Seal of Compliance and an OSHA compliance attestation, both verified through Compliancy Group's annual review process. Each is an independent attestation that we've implemented โ and maintain โ the administrative, physical, and technical safeguards their respective standards require.
REAL People. REAL Experience. REAL Solutions.
Questions about how we'd protect your practice?
Book a 20-minute consult. We'll walk you through specifics โ yours and ours.