Security

Security at Manta Health

Manta is built for regulated healthcare environments. Security, compliance, and data isolation are part of the platform architecture from the start, not additions that arrive during procurement.

Illustration of a secure healthcare technology platform protected by a glowing digital shield, with healthcare professionals reviewing patient workflow data, security icons, and encrypted data paths on a dark blue background.
WHY IT MATTERS

Why Security Matters in Coverage Intelligence

Built Into the Platform from Day One

At Manta Health, security is designed into the platform from the start. The infrastructure, data handling practices, access controls, compliance operations, and AI governance are built as a unified system rather than assembled in response to procurement requirements.

Workflows for What Matters Most

Coverage intelligence workflows touch protected health information, payer records, clinical documentation, and patient financial data. In specialty practice environments, that data connects directly to clinical decisions, revenue outcomes, and patient access to care.

Raising the Governance Bar

AI-native automation raises the governance bar. When a platform is embedded in prior authorization, eligibility verification, and patient financial clearance workflows, the question that matters most is whether it can be trusted with the data it processes and the decisions it informs.
Built for Regulated Environments

Compliance and Trust

Is Manta Health HIPAA compliant?

Manta Health operates as a HIPAA business associate and maintains HIPAA-aligned administrative, physical, and technical safeguards across the platform. Manta will execute a Business Associate Agreement with covered entities and business associates as required. HIPAA is an ongoing operational posture, and Manta’s internal policies, access controls, encryption practices, workforce training, and incident response procedures are all designed to meet HIPAA’s requirements for the protection of electronic protected health information.

Does Manta Health have SOC 2 Type II?

Manta’s SOC 2 Type II audit is currently underway, covering the period May 1 through July 31, 2026. The attestation report will be available following the audit period’s conclusion and covers the security, availability, and confidentiality trust service criteria. Prospective clients requiring SOC 2 documentation as part of their procurement process should contact security@manta.health to discuss timing and available materials.

How does Manta protect PHI?

PHI handled by the Manta platform is protected through a combination of encryption at rest and in transit, tenant-level data isolation, role-based access controls, and continuous monitoring. Data at rest is encrypted across all storage layers. Data in transit is encrypted using TLS 1.3 for all public-facing traffic. Access to PHI within the platform is governed by authenticated tenant context, so each customer’s data is isolated by design and inaccessible to other tenants or unauthorized internal users.

How does Manta isolate customer data in a multi-tenant environment?

Manta implements tenant isolation at multiple layers of the platform stack:

  • Database layer: Data stores filter all queries by tenant context, scoping database operations to the authenticated customer’s data by default.
  • Storage layer: Static files are partitioned by tenant ID.
  • Messaging layer: Event messages include tenant context, and consumers validate tenant authorization before processing.
  • Application layer: JWT tokens carry tenant context that propagates through downstream operations.

This multi-layer approach means data isolation does not depend on any single control but is enforced structurally across the platform.

Where can clients find Manta security documentation?

Manta's Trust Center at trust.manta.health provides an overview of active controls across infrastructure security, organizational security, product security, internal security procedures, and data and privacy. Clients can request the SOC 2 Type II report, review subprocessors, and access the Engagement Letter through the Trust Center. For BAAs, data processing agreements, or security review support during procurement, contact security@manta.health.

Infographic showing three platform security pillars for Manta: infrastructure, tenant isolation, and least privilege, with cloud, shield, data protection, access control, and secure deployment icons connected by continuous governance arrows.
Security by Design

How Manta Builds Security Into the Platform

Infrastructure and Architecture

Manta runs entirely in a cloud-native AWS Well Architected design approach. Production workloads run inside private VPCs with tenant encryption, firewall and network observability across all storage and messaging services, TLS 1.3 for public-facing traffic, and continuous monitoring.

Tenant Isolation and Data Protection

Manta enforces tenant isolation at four independent layers: Persistence, storage, tenant-aware event context at messaging, and JWT-based propagation at the application layer. PHI, authorization records, eligibility data, clinical documents, payment records, and audit logs are all subject to the same isolation controls and encryption posture. Customer data is deleted upon contract conclusion.

Access Control and Least Privilege

All access follows least-privilege principles with SCIM and SAML provisioning, MFA enforced platform-wide, and quarterly access reviews. Production access is tiered: most engineers hold read-only access by default, elevated access is restricted to on-call engineers, and CI/CD pipelines use OIDC with no long-lived credentials.

Who It's Built For

What Clients and IT Reviewers Can Expect

Clients evaluating Manta for deployment in specialty practice environments can expect the following from a security and compliance review.
HIPAA-aligned data handling practices and willingness to execute a BAA with covered entities and business associates as required.
SOC 2 Type II audit currently underway for the period May 1 through July 31, 2026, with the attestation report available following the conclusion of the audit period, covering security, availability, and confidentiality trust service criteria.
Encryption at rest across all storage layers, and encryption in transit using TLS 1.3 for all public-facing traffic.
Tenant isolation enforced independently at the database, storage, messaging, and application layers, so data separation does not depend on any single control failing to prevent cross-customer exposure.
Role-based access controls with MFA enforcement, centralized identity management through SCIM and SAML, and quarterly access reviews covering all employees and contractors.
Tiered production access that limits elevated permissions to on-call and SRE personnel with defined operational responsibilities, with no long-lived credentials in use across CI/CD pipelines.
Secure software development practices including peer code review, automated testing, hardened container images, controlled deployments with health checks and rollback paths, and documented vulnerability response processes.
Security review support during procurement, including access to the Trust Center, SOC 2 documentation upon availability, BAAs, data processing agreements, and direct engagement from the security team.
A subprocessor list and Engagement Letter available through the Trust Center at trust.manta.health.
Frequently Asked Questions

Common questions about Security

Is Manta Health HIPAA compliant?

Manta Health operates as a HIPAA business associate and maintains HIPAA-aligned administrative, physical, and technical safeguards across the platform. Manta executes BAAs with covered entities and business associates as required. HIPAA compliance at Manta is an ongoing operational posture supported by documented policies, access controls, encryption practices, workforce training, and incident response procedures.

Does Manta Health have SOC 2 Type II?

Manta's SOC 2 Type II audit is currently underway, covering the period May 1 through July 31, 2026. The attestation report will be available following the audit period's conclusion and covers the security, availability, and confidentiality trust service criteria. Contact security@manta.health for documentation timing and availability.

How does Manta Health protect PHI?

PHI on the Manta platform is protected through encryption at rest, encryption in transit using TLS 1.3, multi-layer tenant isolation, role-based access controls with MFA enforcement, and continuous monitoring. Access to PHI is governed by authenticated tenant context, meaning each customer’s data is isolated by design and inaccessible to other tenants or unauthorized internal users.

How does Manta isolate customer data in a multi-tenant environment?

Manta implements tenant isolation at four independent layers: PostgreSQL Row Level Security at the database layer, tenant-partitioned S3 prefixes at the storage layer, tenant-aware event context at the messaging layer, and JWT-based tenant propagation at the application layer. Each layer enforces the boundary independently so isolation does not depend on any single control.

What encryption does Manta use?

Data at rest is encrypted across all storage layers. Data in transit is encrypted using TLS 1.3 for all public-facing traffic. Encryption key management is centralized, with restricted key access enforced at the infrastructure level.

Does Manta Health have a Trust Center?

Yes. Manta's Trust Center is available at trust.manta.health and provides a real-time overview of active security controls across infrastructure security, organizational security, product security, internal security procedures, and data and privacy. Clients can request the SOC 2 Type II report, review subprocessors, and access the Engagement Letter through the Trust Center.

Can Manta Health sign a BAA?

Yes. Manta will execute a Business Associate Agreement with covered entities and business associates as required under HIPAA. Contact security@manta.health to initiate the BAA process or to request a data processing agreement.

What AI infrastructure does Manta use?

Manta uses AWS managed inference services for AI-powered clinical workflows including prior authorization determination, eligibility interpretation, agentic appeals, and patient financial clearance. AI workflows operate inside the same governed infrastructure as the rest of the platform and are subject to the same authentication, authorization, tenant isolation, monitoring, and auditability controls that apply platform-wide.

How does Manta handle access control for production systems?

Production access at Manta follows a tiered model. Most engineers hold read-only console access by default. Elevated access is restricted to on-call engineers during active incidents, and SRE access is limited to personnel with defined operational responsibilities. All user identity and group membership is managed through centralized identity systems using SCIM and SAML provisioning, with MFA enforced across all users and access reviewed quarterly. CI/CD pipelines use OIDC authentication with no long-lived credentials.

What should IT reviewers expect when evaluating Manta Health?

IT reviewers evaluating Manta can expect HIPAA-aligned data handling practices, a BAA upon request, SOC 2 Type II documentation following the current audit period, encryption at rest and in transit, multi-layer tenant isolation, role-based access controls with MFA, tiered production access, secure software development practices, a subprocessor list, and direct engagement from the security team. All documentation is accessible through trust.manta.health or by contacting security@manta.health.

Questions About Security? We Have Answers.

Visit the Trust Center for documentation, or contact our security team directly to start the conversation.
Visit the Trust Center

Ready to Transform Your RCM Process?

Say goodbye to faxes, lengthy phone calls, and tedious RCM admin.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.