Trust & Security

Security at FxMedSupport.

Our infrastructure is built for the level of trust that 300+ medical practices place in us every day. Here’s how we safeguard the data that flows through FxMedSupport — and why our middleware architecture is itself a security feature.

The architecture, simply put.

FxMedSupport is the integration and automation layer that sits between Cerbo and the other major enterprise applications your practice uses. FxMedSupport does not store Protected Health Information (PHI) on its infrastructure. All PHI continues to live within Cerbo’s HIPAA-compliant systems where it has always lived. What FxMedSupport does is move the right data, at the right moment, to the right authorized destination — securely, encrypted in transit, and only at the practice’s explicit direction.

To function as middleware, FxMedSupport stores encrypted patient ID mappings on its bifurcated AWS infrastructure. These encrypted IDs allow FxMedSupport to consistently identify a patient across systems (Cerbo, QuickBooks, Zoho, GoHighLevel, etc.) without storing any actual medical or demographic information.

Why this matters. Even in the unlikely event of a security incident affecting FxMedSupport, an attacker would obtain only encrypted patient ID mappings — not patient names, not medical records, not demographics, not anything that constitutes PHI under HIPAA. The decryption keys are held in a separate secure vault accessible only to authorized personnel.

Pillar 01

Strong Infrastructure

AWS hosting with redundancy, managed security patching, continuous monitoring, and built-in threat detection.

Pillar 02

Secure System Access

Role-based access, audit logging, automatic session expiration, and decryption keys held by only authorized personnel.

Pillar 03

Secure Data Transmission

TLS 1.2+ encryption for all data in transit. SSH for any file transfers.

Strong infrastructure.

FxMedSupport’s services are hosted on Amazon Web Services (AWS), an industry-leading cloud provider whose HIPAA-eligible infrastructure forms the foundation of our security posture. Our infrastructure is bifurcated with redundancy, ensuring high availability and resilience.

Managed security patching on operating systems, runtimes, and dependencies — applied promptly when vulnerabilities are disclosed.
Continuous monitoring across the application stack, with alerting on anomalous traffic, authentication failures, and known-threat signatures.
Hardened operating systems with minimum-privilege configurations and unnecessary services disabled by default.
Network-level protection through firewalls, VPC isolation, and DDoS mitigation provided at the AWS infrastructure level.
Bifurcated architecture with redundancy ensures that no single point of failure can compromise service availability or data integrity.
Encryption at rest and in transit for all FxMedSupport-managed data, including all encrypted patient ID mappings.

Secure system access.

Access to FxMedSupport’s systems — by clients, by FxMedSupport staff, and by automated services — is controlled with the same care that a hospital applies to who can open which door:

Strong password policies are enforced for all admin accounts and client portal users, with periodic rotation requirements.
Complete access logging records every authentication attempt — including IP address, timestamp, user agent, and the resource accessed.
Automatic lockout is triggered after multiple failed login attempts to defend against credential-stuffing and brute-force attacks.
Session timeouts automatically end inactive sessions, reducing the risk of unattended access.
Role-based access permissions ensure FxMedSupport staff and client users see only the data and controls necessary for their role.
Decryption keys for patient ID mappings are stored in a secure key vault with access restricted to authorized personnel No other personnel — internal or external — have access.
Multi-factor authentication is supported and recommended for all client admin accounts.

Secure data transmission.

Whenever data moves — between Cerbo and FxMedSupport, between FxMedSupport and a third-party integration the practice has authorized, or between a user’s browser and our application — it is encrypted in transit:

TLS 1.2 or higher for all browser, API, and webhook communications.
SSH (Secure Shell) for any administrative or file-transfer operations.
HTTPS-only endpoints across the FxMedSupport application surface — we do not serve content over unencrypted HTTP.
Per-integration credentials stored encrypted, never in plain text, and rotated according to the third-party service’s recommendations.

We do not transmit PHI to third parties without the practice’s explicit, configured authorization. Every integration that may touch PHI is set up, reviewed, and approved by the practice during onboarding.

The HIPAA framework.

FxMedSupport operates as a HIPAA Business Associate to its clients. We sign a Business Associate Agreement (BAA) with every client whose use of our services involves PHI, governing how we may handle, transmit, or briefly process that data on the practice’s behalf.

Read our Business Associate Agreement for the full HIPAA terms that govern this relationship.

Reporting a security concern.

If you believe you’ve identified a security vulnerability, suspicious activity affecting your account, or any incident that may involve unauthorized access, please contact our security team immediately at help@fxmedsupport.com. We respond to verified security reports within one business day.

Last reviewed by counsel: [09-06-25]