Manta is built for regulated healthcare environments. Security, compliance, and data isolation are part of the platform architecture from the start, not additions that arrive during procurement.

Manta Health operates as a HIPAA business associate and maintains HIPAA-aligned administrative, physical, and technical safeguards across the platform. Manta will execute a Business Associate Agreement with covered entities and business associates as required. HIPAA is an ongoing operational posture, and Manta’s internal policies, access controls, encryption practices, workforce training, and incident response procedures are all designed to meet HIPAA’s requirements for the protection of electronic protected health information.
Manta’s SOC 2 Type II audit is currently underway, covering the period May 1 through July 31, 2026. The attestation report will be available following the audit period’s conclusion and covers the security, availability, and confidentiality trust service criteria. Prospective clients requiring SOC 2 documentation as part of their procurement process should contact security@manta.health to discuss timing and available materials.
PHI handled by the Manta platform is protected through a combination of encryption at rest and in transit, tenant-level data isolation, role-based access controls, and continuous monitoring. Data at rest is encrypted across all storage layers. Data in transit is encrypted using TLS 1.3 for all public-facing traffic. Access to PHI within the platform is governed by authenticated tenant context, so each customer’s data is isolated by design and inaccessible to other tenants or unauthorized internal users.
Manta implements tenant isolation at multiple layers of the platform stack:
This multi-layer approach means data isolation does not depend on any single control but is enforced structurally across the platform.
Manta's Trust Center at trust.manta.health provides an overview of active controls across infrastructure security, organizational security, product security, internal security procedures, and data and privacy. Clients can request the SOC 2 Type II report, review subprocessors, and access the Engagement Letter through the Trust Center. For BAAs, data processing agreements, or security review support during procurement, contact security@manta.health.

Manta runs entirely in a cloud-native AWS Well Architected design approach. Production workloads run inside private VPCs with tenant encryption, firewall and network observability across all storage and messaging services, TLS 1.3 for public-facing traffic, and continuous monitoring.
Manta enforces tenant isolation at four independent layers: Persistence, storage, tenant-aware event context at messaging, and JWT-based propagation at the application layer. PHI, authorization records, eligibility data, clinical documents, payment records, and audit logs are all subject to the same isolation controls and encryption posture. Customer data is deleted upon contract conclusion.
All access follows least-privilege principles with SCIM and SAML provisioning, MFA enforced platform-wide, and quarterly access reviews. Production access is tiered: most engineers hold read-only access by default, elevated access is restricted to on-call engineers, and CI/CD pipelines use OIDC with no long-lived credentials.
Manta Health operates as a HIPAA business associate and maintains HIPAA-aligned administrative, physical, and technical safeguards across the platform. Manta executes BAAs with covered entities and business associates as required. HIPAA compliance at Manta is an ongoing operational posture supported by documented policies, access controls, encryption practices, workforce training, and incident response procedures.
Manta's SOC 2 Type II audit is currently underway, covering the period May 1 through July 31, 2026. The attestation report will be available following the audit period's conclusion and covers the security, availability, and confidentiality trust service criteria. Contact security@manta.health for documentation timing and availability.
PHI on the Manta platform is protected through encryption at rest, encryption in transit using TLS 1.3, multi-layer tenant isolation, role-based access controls with MFA enforcement, and continuous monitoring. Access to PHI is governed by authenticated tenant context, meaning each customer’s data is isolated by design and inaccessible to other tenants or unauthorized internal users.
Manta implements tenant isolation at four independent layers: PostgreSQL Row Level Security at the database layer, tenant-partitioned S3 prefixes at the storage layer, tenant-aware event context at the messaging layer, and JWT-based tenant propagation at the application layer. Each layer enforces the boundary independently so isolation does not depend on any single control.
Data at rest is encrypted across all storage layers. Data in transit is encrypted using TLS 1.3 for all public-facing traffic. Encryption key management is centralized, with restricted key access enforced at the infrastructure level.
Yes. Manta's Trust Center is available at trust.manta.health and provides a real-time overview of active security controls across infrastructure security, organizational security, product security, internal security procedures, and data and privacy. Clients can request the SOC 2 Type II report, review subprocessors, and access the Engagement Letter through the Trust Center.
Yes. Manta will execute a Business Associate Agreement with covered entities and business associates as required under HIPAA. Contact security@manta.health to initiate the BAA process or to request a data processing agreement.
Manta uses AWS managed inference services for AI-powered clinical workflows including prior authorization determination, eligibility interpretation, agentic appeals, and patient financial clearance. AI workflows operate inside the same governed infrastructure as the rest of the platform and are subject to the same authentication, authorization, tenant isolation, monitoring, and auditability controls that apply platform-wide.
Production access at Manta follows a tiered model. Most engineers hold read-only console access by default. Elevated access is restricted to on-call engineers during active incidents, and SRE access is limited to personnel with defined operational responsibilities. All user identity and group membership is managed through centralized identity systems using SCIM and SAML provisioning, with MFA enforced across all users and access reviewed quarterly. CI/CD pipelines use OIDC authentication with no long-lived credentials.
IT reviewers evaluating Manta can expect HIPAA-aligned data handling practices, a BAA upon request, SOC 2 Type II documentation following the current audit period, encryption at rest and in transit, multi-layer tenant isolation, role-based access controls with MFA, tiered production access, secure software development practices, a subprocessor list, and direct engagement from the security team. All documentation is accessible through trust.manta.health or by contacting security@manta.health.
Say goodbye to faxes, lengthy phone calls, and tedious RCM admin.