Security

Security Practices

A public overview of CouncilAI's security, privacy, and compliance practices.

Updated April 13, 2026

Security at a glance

Data protection

Encryption in transit and at rest, logical workspace separation, and access rules for documents, templates, generated content, and knowledge base content.

Access control

Role-based access, account statuses, organization membership, session controls, lockout protections, and administrator-managed access changes.

Auditability

Security-relevant activity logging, tamper-evident review, export controls, and compliance workflows for authorized reviewers.

Incident response

Triage, containment, investigation, recovery, customer impact assessment, and post-incident review practices.

Security practices

Public security overview.

CouncilAI is built for healthcare environments where privacy, confidentiality, integrity, and availability matter. Our security program uses administrative, technical, and operational safeguards designed to protect customer data and support healthcare compliance workflows.

This page provides a high-level overview of our security practices. It is not a detailed architecture document or a substitute for customer-specific contractual, legal, or compliance review.

Data Protection

CouncilAI applies safeguards to protect customer data throughout the product lifecycle.

  • Data is encrypted in transit using modern secure transport protocols.
  • Data is encrypted at rest in managed storage systems.
  • Access to customer data is limited by role and business need.
  • Customer workspaces are logically separated so organization users access only the data they are authorized to use.
  • Uploaded documents, generated content, templates, and knowledge base content follow access rules based on user role, ownership, and visibility settings.
  • Users are encouraged to enter only the minimum information necessary for their task and to follow their organization's data handling policies.

Access Control

CouncilAI uses role-based access controls to limit what users can view and change.

  • User access is based on account context, organization membership, role, and account status.
  • Common roles include clinician, staff, administrator, compliance officer, and platform administrator.
  • Administrative actions are limited to authorized roles.
  • Sensitive administrative actions may require a reason, recent authentication, and additional safeguards.
  • Accounts can be approved, suspended, deactivated, or forced to sign out by authorized administrators.
  • Session timeouts help reduce the risk of unattended access.
  • Authentication workflows may include password policies, account lockout protections, and multi-factor authentication where configured.

Audit Logging and Accountability

CouncilAI records security-relevant activity to support accountability and compliance review.

  • Authentication activity, data access, administrative actions, exports, system events, and AI-assisted workflows are logged.
  • Audit logs are designed to support tamper-evident review.
  • Authorized administrators and compliance officers can search, filter, review, and export audit records.
  • Audit exports should be stored and shared only according to the customer's approved policies.

Monitoring and Alerts

CouncilAI monitors for activity that may indicate misuse, account risk, or operational issues.

  • Failed authentication patterns can be detected and reviewed.
  • Export activity and unusual administrative changes can be reviewed.
  • After-hours access monitoring can be configured by organization.
  • Usage patterns can be reviewed by authorized users to support operational oversight.
  • Security events are investigated according to severity and potential customer impact.

Secure Product Development

Security is part of the product development process.

  • Changes are reviewed before release.
  • Code quality, type checking, and automated tests are used to reduce the risk of regressions.
  • Security-relevant changes receive additional review when appropriate.
  • Dependencies and application behavior are reviewed for known risks.
  • Production changes follow controlled deployment and change management practices.
  • Secrets and credentials are not intended to be stored in source code.

Operations and Resilience

CouncilAI uses managed cloud services and controlled operational processes to reduce risk.

  • Production access is restricted to authorized personnel.
  • Administrative access follows least-privilege principles.
  • Operational changes are tracked and reviewed.
  • Backups, recovery planning, and availability practices are maintained for production services.
  • Logs and evidence are retained according to compliance and operational requirements.
  • Security settings and access are reviewed on a recurring basis.

Vendor and Subprocessor Practices

CouncilAI reviews vendors and service providers that may affect customer data or platform operations.

  • Vendors are assessed based on the services they provide and the data they may access.
  • Security and compliance evidence is reviewed where appropriate.
  • Vendor access is limited to the scope needed for the service.
  • Vendor relationships are reviewed periodically.

Incident Response

CouncilAI maintains an incident response process for identifying, containing, investigating, and resolving security events.

  • Suspected incidents are triaged and assigned a severity level.
  • Response activities focus on containment, investigation, recovery, and customer impact assessment.
  • Evidence is preserved during investigations.
  • Customers are notified when required by contractual, legal, or regulatory obligations.
  • Post-incident reviews are used to improve controls and procedures.

Customer Responsibilities

Security is a shared responsibility. Customers and users should:

  • Use strong, unique passwords.
  • Enable multi-factor authentication when available.
  • Assign users the least-privileged role needed for their work.
  • Review access regularly and remove users who no longer need access.
  • Keep uploaded knowledge base and template content accurate and current.
  • Verify AI-assisted outputs before using them in clinical decisions or documentation.
  • Store exported audit or compliance records only in approved locations.
  • Report suspected security issues promptly through the designated CouncilAI support or security contact.

Requesting More Information

Customers who need additional security or compliance information should contact their CouncilAI representative or designated support contact. Detailed architecture diagrams, operational procedures, and customer-specific evidence are shared through appropriate review channels rather than posted publicly.