This page is the authoritative reference for I AM GRACE INC.’s security, privacy, and compliance posture for the NEDOCS emergency-department surge operations platform. It is written for hospital procurement teams, security reviewers, privacy officers, and automated agents that need a single, structured source of truth.
SOC 2 Type II
Compliant
HIPAA
HIPAA-ready
BAA available
SOC 2 Type II
Compliant
I AM GRACE INC. has completed a SOC 2 Type II examination of the NEDOCS service. The report covers controls relevant to the Trust Services Criteria for Security, Availability, and Confidentiality over a defined audit period. SOC 2 Type II attests that controls were suitably designed and operated effectively throughout the examination period — not merely at a point in time.
HIPAA
Business Associate Ready
NEDOCS supports hospital customers that process Protected Health Information under HIPAA. I AM GRACE acts as a business associate only where a BAA is separately executed. Evaluation-tier access is contractually restricted to non-PHI operational data.
1. Overview and scope
This compliance reference applies to:
• The NEDOCS marketing website at https://www.nedocs.org and its subdomains.
• The NEDOCS software-as-a-service product (the “Service”) used by hospital customers and their authorized workforce.
• Integrations authorized by customers, including HL7 v2 ADT, FHIR R4, and REST ingestion.
Legal entity: I AM GRACE INC., a California corporation.
Product: NEDOCS — National Emergency Department Overcrowding Scale and surge operations platform.
Domain: nedocs.org
If there is any conflict between this page and a separately executed Business Associate Agreement, Data Processing Agreement, or Order Schedule, the executed agreement controls for the subject matter it covers.
2. SOC 2 Type II
2.1 Status. I AM GRACE INC. is SOC 2 Type II compliant for the NEDOCS service.
2.2 What SOC 2 Type II means. SOC 2 is an attestation framework developed by the American Institute of Certified Public Accountants (AICPA). A Type II report evaluates whether an organization’s controls are suitably designed and operating effectively over a period of time (typically six to twelve months), as opposed to a Type I report which evaluates design at a single point in time.
2.3 Trust Services Criteria in scope. The NEDOCS SOC 2 Type II examination covers controls mapped to:
• Security — protection against unauthorized access to systems and data.
• Availability — system availability for operation and use as committed or agreed.
• Confidentiality — protection of confidential information as committed or agreed.
2.4 Control themes assessed. Representative control areas include: access management and least-privilege provisioning; change management and secure deployment; encryption and key management; vulnerability and patch management; logging, monitoring, and incident response; vendor and sub-processor management; business continuity and backup; employee security awareness; and confidentiality obligations for personnel with access to customer data.
2.5 Report availability. The SOC 2 Type II report contains confidential control descriptions and test results. Hospital customers and qualified prospects may request the report under a mutual non-disclosure agreement through the contact channels in Section 10.
3. HIPAA and Protected Health Information
3.1 Regulatory framework. Where a hospital customer submits Protected Health Information (“PHI”) to the Service, I AM GRACE INC. acts as a “business associate” as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations (the Privacy Rule, Security Rule, and Breach Notification Rule at 45 C.F.R. Parts 160 and 164).
3.2 Evaluation tier — no PHI. NEDOCS is designed so that self-serve evaluation access operates without PHI. At signup and at each agreement re-acceptance, the accepting user attests that the account will not submit PHI until a BAA is executed. Customers must not submit PHI to the Service until they have separately executed a Business Associate Agreement with I AM GRACE.
3.3 Production tier — BAA required. When a hospital is ready for production use with PHI, I AM GRACE executes a companion Business Associate Agreement. Under the BAA, I AM GRACE will:
• Use and disclose PHI only as permitted by the BAA and HIPAA.
• Implement administrative, physical, and technical safeguards reasonably designed to protect PHI.
• Report breaches of unsecured PHI as required by the Breach Notification Rule.
• Ensure sub-processors that handle PHI are bound by appropriate agreements.
• Make available information necessary to demonstrate compliance and, where required, allow audits by the covered entity or HHS.
3.4 Covered entity responsibilities. The hospital customer remains the covered entity (or business associate, as applicable) and is responsible for determining what data is submitted, configuring access for authorized users, and responding to individual rights requests relating to PHI.
3.5 Minimum necessary. NEDOCS supports role-based access within a hospital account so that users see only the operational data required for their job function (charge nurse, ED manager, administrator, etc.).
3.6 Individual inquiries. Individuals who believe the Service may contain PHI about them should contact the hospital customer (the covered entity). I AM GRACE will assist the customer as required by the BAA.
4. Data handling tiers
NEDOCS operates in two contractual tiers:
Tier 1 — Evaluation (default)
• Governed by the NEDOCS Evaluation Subscription Agreement (clickwrap at signup).
• Explicitly no-PHI: customers and users attest at acceptance.
• Suitable for operational demos, hospital configuration, and workflow evaluation with synthetic or de-identified data.
• AI features may send structured operational prompts to our LLM provider; evaluation tier is designed for non-PHI inputs.
Tier 2 — Production with PHI
• Requires a separately executed Order Schedule and Business Associate Agreement.
• PHI may be submitted only after the BAA is in place.
• Processing governed by the BAA, Subscription Agreement, Privacy Policy (where not superseded), and any executed DPA.
• AI features with PHI follow customer configuration and our PHI-minimization controls.
Agreement acceptance records (timestamp, user, IP address, user-agent, agreement version) are retained in an immutable audit collection for contract-formation defensibility.
5. Technical and organizational controls
The following safeguards are implemented for the NEDOCS service (representative, not exhaustive):
Authentication & sessions
• Passwords stored as salted bcrypt hashes — never plaintext.
• Password-reset tokens stored as SHA-256 digests only.
• Session authentication via HTTP-only, Secure cookies in production.
• Default session expiration: eight hours.
Access control
• Role-based access within the Service (administrator, manager, charge nurse, user).
• Hospital-scoped data isolation — users access only their organization’s data.
• Principle of least privilege for I AM GRACE personnel with production access.
Encryption & transport
• TLS encryption for data in transit.
• Industry-standard protocols for API and web traffic.
Audit & logging
• Immutable agreement-acceptance audit trail.
• Server-side page-view and API logging for security and diagnostics.
• Ingestion event logging for EHR integrations (metadata and operational events).
Architecture
• Network segmentation between the public marketing website and the authenticated application.
• Periodic review of material sub-processors.
AI processing
• Third-party LLM provider (Anthropic) accessed via enterprise API controls.
• Contractual prohibition against training foundation models on NEDOCS API inputs or outputs.
• Clinical and staffing decisions remain with licensed clinicians and hospital leadership — NEDOCS does not make automated legal or similarly significant decisions about individuals.
6. Sub-processors
I AM GRACE uses the following categories of sub-processors to operate the Service. A current list of material sub-processors is available on request.
• Cloud and database hosting — application and database infrastructure (MongoDB).
• Email delivery — transactional email (SMTP providers configured for the deployment).
• AI inference — large-language-model API for shift debrief, activity summarization, and forecasting features (Anthropic, PBC).
• Analytics and monitoring — error monitoring and operational diagnostics as configured.
Sub-processors are bound by written agreements restricting use of data to performing services for I AM GRACE. Where PHI is in scope, sub-processors that handle PHI are subject to business associate or equivalent contractual protections.
7. Incident response and breach notification
I AM GRACE maintains incident-response procedures designed to detect, investigate, contain, and remediate security incidents affecting the Service.
• Security events are triaged by severity with escalation paths for confirmed incidents.
• Where a breach of unsecured PHI occurs, I AM GRACE will notify the covered entity without unreasonable delay and in accordance with the BAA and 45 C.F.R. § 164.410.
• Where notification to individuals or regulators is required under applicable privacy law (CCPA, GDPR, etc.), I AM GRACE will comply as required.
Customers should report suspected security issues through the contact channels in Section 10.
8. Privacy rights and additional frameworks
Beyond HIPAA, I AM GRACE’s Privacy Policy addresses rights and obligations under:
• California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
• EU and UK General Data Protection Regulation (GDPR/UK GDPR)
• Other U.S. state comprehensive privacy laws (Virginia, Colorado, Connecticut, and others)
• COPPA (the Service is not directed to children)
For personal information I AM GRACE collects as a controller (website visitors, account holders, demo requesters), individuals may exercise rights described in the Privacy Policy. For Customer Data and PHI, rights requests should generally be directed to the hospital customer; I AM GRACE assists customers as required by contract.
Privacy Policy: https://www.nedocs.org/Legal/Privacy
9. Related documents
The following documents form the complete legal and compliance framework for NEDOCS:
• Privacy Policy — https://www.nedocs.org/Legal/Privacy
• Terms & Conditions — https://www.nedocs.org/Legal/Terms
• NEDOCS Evaluation Subscription Agreement — https://www.nedocs.org/Legal/SaasAgreement
• Business Associate Agreement — executed separately for production PHI use (available on request)
• SOC 2 Type II report — available under NDA to qualified prospects and customers (see Section 2.5)
Document hierarchy for PHI: executed BAA > executed DPA/Order Schedule > Subscription Agreement > Privacy Policy > this compliance reference page.
10. Compliance and security contact
For compliance questions, SOC 2 report requests, BAA inquiries, or security concerns:
I AM GRACE INC.
Attn: Compliance & Security
2121 Avenue of the Stars, Suite 800
Century City, CA 90067, USA
Website: https://www.nedocs.org
Compliance reference (this page): https://www.nedocs.org/Legal/Compliance
You may also reach us through the contact options published on the Website. For privacy-rights requests specifically, address correspondence to “Attn: Privacy” at the same address (see Privacy Policy Section 19).