Most CRM platforms treat HIPAA compliance as a tier upgrade — a "secure" plan that costs 2x the regular plan and ships with a few extra features bolted on. That model creates a two-track product where the compliance posture is a marketing differentiator, not an architectural one.
Lumè doesn't have a "secure tier." Every customer is on the HIPAA-compliant architecture from day one because there's only one architecture. Tenant isolation, role-based permissions, audit logging, and PHI containment are foundational — built into the models and middleware, not patched on as an upsell.
What "HIPAA-compliant" means here
The product surface is built on a SOC 2-aligned spine: least privilege, traceability, change management, separation of duties. Production infrastructure runs on AWS services covered by a Business Associate Agreement. Postgres is KMS-encrypted at rest. Email goes through SES with the proper SPF / DKIM / DMARC posture. Backups are encrypted; key rotation is automated; access is logged.
The product also makes the hard choice consistently. Email containing PHI — a signed-consent copy, for example — sends only when an operator initiates the send, because automated PHI delivery would require per-customer authorization that most spas don't capture today. CSV exports of per-customer data fire a confirmation gate before the download. Every confirmation is logged.
Production posture
Lumè's production environment runs on AWS under a signed BAA. Postgres is encrypted at rest with KMS; backups are encrypted; key rotation is automated. SES handles email with DKIM, SPF, and DMARC configured. Audit log tables are append-only at the database trigger level — UPDATE and DELETE statements are rejected.
SOC 2 Type II is in progress. We can share the in-progress audit scope and a list of mapped controls on request.