For developers & platform teams

Build HIPAA-compliant AI
on a regulated substrate.

Use HASP as the HIPAA-compliant foundation for your AI products, agents, and workflows. Identity, policy, audit, compliance, and PHI handling — handled at the gateway, so you can focus on your product.

Book a technical demo Read the docs →
Compliance · frameworks we ship under
Active HIPAA BAA included
AOC under NDA SOC 2 Type II · inherited
AOC under NDA HITRUST r2 · inherited
EU + UK GDPR Art. 17 · 20 · 30
Active + CPPA-ready PIPEDA / CPPA Canada
Q3 2026 ISO 27001 In progress
Developer surfaces

Two entry points. One governed substrate.

Whether you're integrating AI into an existing product or building autonomous agents, every call inherits identity, policy, audit, and PHI handling.

01

Public API

Embed HIPAA-compliant AI into your existing products and systems. PHI redaction and a full audit trail enforced at the gateway.

API docs →
02

Agent SDK

Build agents that can act under scoped, revocable authority. Every tool invocation authorized, identity-scoped, and recorded.

SDK reference →
03

Agent Identity & Delegated Authorization

Agents as first-class identities. OAuth 2.1 + Rich Authorization Requests for scoped, auditable, revocable agent permissions. Includes the standards-aligned A2A protocol.

A2A protocol →
04

PHI Handling

PHI detection, redaction, and de-identification at the gateway. Configurable per-org. No PHI leaves your governed perimeter without policy approval.

Trust center →
Policy enforcement

Rules before action. Not after the fact.

Every API call and agent tool invocation passes through the policy engine before execution. Define rules per-org, per-surface, per-agent. Denials are logged with full context.

● Gateway evaluation order
  1. Authenticate caller (User / ApiKey / Agent)
  2. Resolve org context and permissions
  3. Evaluate policy rules
  4. Scan for PHI — redact or block
  5. Route to inference provider
  6. Sign response to audit chain
Signed audit events

Every action recorded. Every record verifiable.

Hash-chained, Ed25519 signed, RFC 3161 anchored. Customers download the chain as plain JSON and verify it independently — no HASP software required.

Audit architecture →
The substrate

Five components. Inherited by every surface.

The substrate is not a product you configure — it's the governed layer that every surface inherits. Build on any surface; the substrate ensures compliance, policy, and audit automatically.

Identity — first-class user, API key, and agent identities
Policy enforcement — rules evaluated before any action
Audit integrity — hash-chained, Ed25519 signed, RFC 3161 anchored
Compliance posture — HIPAA, SOC 2, HITRUST, GDPR, CCPA, PIPEDA
PHI handling — detection, redaction, de-identification

Start building

Governed AI,
ready on day one.

Request API access, explore the SDK, or book a technical walkthrough. Every surface inherits identity, policy, audit, and PHI handling at the gateway.

Book a technical demo Read the docs →

No commitment required.