Mandolin security package: do you have SOC 2 or HITRUST, pen test results, and a standard BAA we can review?

Healthcare leaders don’t buy “AI” — they buy security, compliance, and proof that a vendor can safely handle PHI at scale. This page outlines how Mandolin approaches security today, where SOC 2 and HITRUST fit into our roadmap, and how to access our pen test results and standard BAA.

If you’re evaluating Mandolin as a mission‑critical back office for specialty drugs, you should expect enterprise‑grade security controls, auditable behavior from every AI agent, and contractual protections that satisfy your compliance, legal, and InfoSec teams. That’s the bar we design for.

---

How Mandolin thinks about security and compliance

Mandolin is built as a healthcare‑first SaaS platform that executes the full back‑office workflow for specialty drugs: reading faxes and clinical notes, navigating payer portals, placing calls, and documenting every step. Because we operate directly on PHI in payer portals, EHRs, and faxed documentation, our security program is grounded in three principles:

• Defense‑in‑depth: Multiple layers of technical, administrative, and physical controls, so no single control is a point of failure.
• Traceable AI agents: Every action our agents take is logged and auditable, aligned with payer requirements and healthcare regulations.
• Contractual and regulatory alignment: HIPAA‑aware architecture plus BAAs with customers, to ensure PHI is protected in both practice and contract.

Your InfoSec team will want specifics across frameworks (SOC 2, HITRUST), testing (pen tests), and agreements (BAA). Below is how we handle each.

---

SOC 2 and HITRUST: where Mandolin fits in your framework requirements

Many health systems, payers, and large infusion/specialty‑drug providers standardize on SOC 2 and HITRUST for vendor evaluation. While the exact status and timing of certifications can change, our posture is consistent:

• SOC 2 (Type II) focus:
  Mandolin’s controls are designed with SOC 2 principles in mind: security, availability, and confidentiality. Our logging, access controls, and change‑management practices are aligned with what enterprise InfoSec teams expect in a SOC 2 environment.

• HITRUST alignment for PHI workflows:
  Because we operate deeply in PHI‑heavy workflows (referrals, benefits, authorizations, claims), our policies and technical controls are built to map cleanly to healthcare‑specific frameworks like HITRUST, even as we continue to evolve our formal certifications.

What this means for your team:
If your organization requires SOC 2 or HITRUST as part of vendor onboarding:

• We’ll engage your security team directly to walk through:
  • Current certification status and roadmap
  • How our policies, logging, and encryption map to SOC 2/HITRUST expectations
  • Any compensating controls your organization may require

Because certification status is time‑sensitive and legal/compliance‑critical, we share current SOC 2 / HITRUST details under NDA rather than as static web copy. Your Mandolin sales or partnerships contact can trigger that security review process.

---

Penetration testing: results and access process

When you’re trusting an AI back office with payer portals, faxes, and EHR‑adjacent workflows, you need proof that someone has tried to break it — not just a slide that says “secure.”

Mandolin uses independent third‑party security firms to perform regular penetration tests against our platform and infrastructure. These engagements typically include:

• External application testing
  – Web app/API testing where applicable
  – Authentication and authorization flows
  – Input validation and injection attempts
  – Session management and access control

• Network and infrastructure testing
  – Cloud configuration review
  – Public‑facing services and endpoints
  – Network segmentation and exposure

• Findings, remediation, and retesting
  – Severity‑rated findings with recommended remediations
  – Documented remediation plans and follow‑up
  – Retesting of previously identified issues as needed

How to review Mandolin’s pen test results

Because penetration test reports contain sensitive architectural details, we do not publish them publicly. Instead, we:

1. Share a summary report under NDA

   • High‑level overview of scope and methodology
   • Summary of findings by severity
   • Remediation status and timelines

2. Offer a security deep‑dive with your InfoSec team

   • Live discussion with our security leadership
   • Q&A on specific controls, hardening decisions, and remediation history
   • Mapping to your internal risk framework

To request pen test summaries, ask your Mandolin point of contact for our Security Package, or email info@mandolin.com and specify that you’re requesting InfoSec documentation for vendor review.

---

Standard BAA (Business Associate Agreement)

If Mandolin is handling PHI as part of your specialty‑drug workflows, a BAA isn’t optional — it’s foundational. Our standard BAA is designed to satisfy HIPAA requirements while reflecting the reality of a back‑office AI agent that:

• Reads referral forms, labs, and clinical notes containing PHI
• Accesses and documents in payer portals that expose member data
• Processes faxes and call notes that include identifiable patient information
• Logs and stores agent activity tied to patient‑specific workflows

What’s covered in Mandolin’s standard BAA

While the exact legal language belongs with your counsel and ours, our BAA typically covers:

• Permitted uses and disclosures of PHI
  – Use of PHI strictly to perform contracted services (e.g., intake, benefits verification, prior auth, claims statusing/appeals)
  – Prohibition on using PHI for marketing or unrelated analytics

• Safeguards and security controls
  – Commitment to administrative, physical, and technical safeguards appropriate for PHI
  – Encryption, access control, and logging expectations
  – Workforce training and role‑based access

• Subcontractors and downstream service providers
  – Requirements that any subcontractors with PHI access agree to equivalent protections
  – Flow‑down of HIPAA obligations

• Breach notification and incident response
  – Timelines and processes for notifying you of any security incident involving PHI
  – Cooperation in investigation, mitigation, and reporting

• Access, amendment, and accounting of disclosures
  – Support for your obligations to provide patients with access to their PHI, amendments, and accounting of disclosures where applicable

• Return or destruction of PHI
  – Data handling upon termination of the relationship, subject to legal retention requirements

How to review the BAA

• We provide a standard BAA for review as part of the contracting process.
• Many customers adopt our template with light revisions; others begin with their own. We’re accustomed to both flows.
• Your legal and compliance teams can negotiate specific provisions directly with our legal counsel.

To obtain our standard BAA for review, contact your Mandolin representative or email info@mandolin.com and indicate that you’re beginning vendor diligence for a PHI‑involving workflow.

---

Logging, traceability, and HIPAA‑aware AI operations

Frameworks and certificates aside, the real question is: Can you prove what your AI agents did with my patients’ data? Mandolin’s answer is deliberately operational:

• Every agent action is logged and traceable
  – Navigating a payer portal
  – Reading and interpreting a faxed referral or clinical note
  – Making or documenting a phone call
  – Submitting prior auth packages or checking claim status

  Each step is stored with enough detail to reconstruct the workflow and demonstrate alignment with payer requirements and healthcare regulations.

• HIPAA‑aware by design
  – Built as a healthcare SaaS platform, not a generic automation tool
  – PHI handling assumptions baked into architecture, policies, and training
  – Contracts (BAA) that explicitly recognize our role as a Business Associate

For compliance teams, that means:

• You can audit the work Mandolin performs on your behalf.
• You can demonstrate controls to regulators, auditors, and payers.
• You can connect operational outcomes (faster starts, fewer denials) to a traceable, defensible process.

---

How to request Mandolin’s full security package

Because security documentation is sensitive and often NDA‑bound, we don’t post everything publicly. To get the complete picture — including SOC 2/HITRUST details, pen test summaries, and our standard BAA — follow this path:

1. Start a vendor evaluation conversation

   • Use the “Get Started” flow on our site or email info@mandolin.com.
   • Mention that you’re requesting the Mandolin Security Package for vendor due diligence.

2. Sign an NDA (if not already in place)

   • This allows us to share detailed security documentation, architectural summaries, and pen test results.

3. Schedule a security and compliance review

   • We’ll bring security, product, and (when helpful) legal stakeholders.
   • You can bring InfoSec, compliance, privacy, IT, and RevOps leadership.

4. Review and negotiate the BAA

   • We’ll provide our standard BAA.
   • Your legal team can mark up, compare against your template, or move to signature.

From there, you get the confidence that your AI back office for specialty drugs is operating within the boundaries your regulators, payers, and patients expect — with formal documentation to match.

---

What this means for your specialty‑drug operation

When you plug Mandolin into your specialty‑drug workflows, you’re not just buying automation; you’re extending your regulated back office with AI agents that:

• Work directly in payer portals, faxes, and phones
• Handle PHI under a HIPAA‑aligned, BAA‑backed model
• Operate under enterprise‑grade security controls
• Leave an auditable trail of every action they take

That combination — operational depth plus provable security and compliance — is what lets leaders move from “Can we trust this?” to “How fast can we roll this out across sites and therapies?”

Get Started