Logo
Galy

Security

Your patients' data deserves the highest level of protection. Here's how we safeguard every piece of information in Galy.

Last updated: January 15, 2026

SOC 2 Type II Certified
AES-256 Encryption
24/7 Monitoring

Security Infrastructure

Encryption Everywhere

All data is encrypted in transit with TLS 1.3 and at rest with AES-256 encryption. Database connections, API calls, and file storage all use industry-leading encryption standards.

Access Control

Fine-grained role-based access controls (RBAC) ensure users only see the data they need. Multi-factor authentication is available for all accounts, with enforced MFA for administrator roles.

Monitoring & Detection

24/7 real-time security monitoring with automated threat detection. Our security team is alerted immediately to any suspicious activity, unauthorized access attempts, or anomalous behavior.

Infrastructure Security

Hosted on SOC 2 Type II certified cloud infrastructure within the United States. Our data centers feature physical security, redundant systems, and environmental controls.

Business Continuity

Automated backups with geographic redundancy ensure your data is always recoverable. Our disaster recovery plan targets an RPO of 1 hour and RTO of 4 hours.

Network Security

Enterprise-grade firewalls, DDoS protection, and web application firewalls (WAF) protect against network-level attacks. All traffic is filtered and inspected for threats.

Certifications & Compliance

Certified

SOC 2 Type II

Annual audit covering security, availability, and confidentiality

Compliant

HIPAA

Full compliance with Health Insurance Portability and Accountability Act

In Progress

HITRUST CSF

Healthcare-specific security framework certification

Planned

ISO 27001

International standard for information security management

Security Practices

Secure Development Lifecycle

  • Security-focused code reviews for all changes
  • Automated static analysis and dependency scanning
  • Regular penetration testing by third-party security firms
  • Vulnerability disclosure and bug bounty program
  • Secure CI/CD pipeline with signed deployments

Incident Response

  • Documented incident response plan reviewed quarterly
  • Dedicated security incident response team (SIRT)
  • Breach notification within 24 hours of confirmation
  • Post-incident analysis and preventive improvements
  • Regular tabletop exercises to test response readiness

Vendor Security

  • Security assessment of all third-party vendors
  • Business Associate Agreements for vendors handling PHI
  • Regular review of vendor security posture
  • Minimal data sharing with principle of least privilege
  • Vendor access monitoring and audit logging

Responsible Disclosure

We value the security community and welcome responsible disclosure of any vulnerabilities you may find. If you believe you have discovered a security issue in our platform, please report it to us at:

  • Email: security@galy.io
  • PGP Key: Available upon request

We ask that you give us a reasonable amount of time to investigate and address the issue before disclosing it publicly. We will not pursue legal action against researchers who follow responsible disclosure practices.