Redline. PHI/PII compliance for operators in regulated industries.
Redline classifies sensitive data on intake, manages your BAA registry, and gates non-compliant vendors before they touch protected records. SOC 2 + HIPAA-ready.
What Redline does.
Classify automatically
Every record entering Merkava is tagged with a PHI/PII level. No manual triage. The classification rides with the record into every Drive that consumes it.
Gate before connect
A vendor without a signed BAA cannot ingest tenant data classified as PHI. Pre-connect gates fail closed. The compliance state is the source of truth, not a prayer.
BAA registry built in
Every signed Business Associate Agreement is tracked in baa_registry. The /security page on your marketing site auto-updates when a new BAA lands.
Audit-trail by default
Who accessed what, when, and why — every read of PHI-classified data is logged. Your SOC 2 auditor gets a queryable evidence room.
When to use it.
- You handle PHI under HIPAA or PII under HIPAA-aligned regulations
- You're scoping a SOC 2 Type II audit and need access logs that auditors actually accept
- You sell into healthcare, financial services, or government and prospects ask for a BAA before the demo
- You've outgrown an honor-system "we'll be careful" approach and need pre-connect enforcement
Integrates with.
Pairs well with.
Questions.
How long does Redline take to set up?
About 30 minutes. The first-run flow walks you through PHI classifications for the data sources you've already connected, and starts the BAA collection process for any vendor that doesn't have one on file.
Does Redline replace my SOC 2 auditor?
No — Redline produces the evidence your auditor needs (access logs, vendor BAA registry, classification policies). Your auditor still does the audit. Redline shortens the evidence-collection phase from weeks to hours.
What happens if a non-BAA vendor tries to access PHI data?
The pre-connect gate fails closed. The vendor receives a clear error explaining a BAA is required. A queue entry appears in /drives/redline so an operator can route the BAA request to the vendor's legal team.
Is Redline available on every plan?
Redline is part of the TECH executive bundle ($149/mo — CTO plus specialists). Operators who need HIPAA/SOC 2 compliance scope without the rest of the TECH bundle can install Redline as a standalone Drive; see /pricing for current Drive subscription tiers. Custom configurations for healthcare and regulated-industry stacks: email [email protected].
How does Redline compare to Vanta or Drata?
Vanta and Drata are SOC 2 / HIPAA platforms — they monitor your stack, collect evidence, and generate auditor reports. Their value sits at the company-wide compliance program level, priced ~$585/mo+ for the platform plus implementation. Redline is the tenant-scoped Drive inside Merkava: it enforces compliance at the data-flow boundary (PHI classification on intake, BAA-gating before connect) and produces the per-tenant audit trail. The two complement: Vanta/Drata for org-level program management; Redline for the per-tenant data-flow enforcement.
What about data residency for international operators?
Today: US-East data center. EU residency is on the post-launch roadmap (multi-region for tenants on custom Enterprise plans, EU-West first). Operators with strict EU residency requirements should email [email protected] to scope; we can hold tenant onboarding until your jurisdiction is supported, or negotiate interim controls.
Can I run my own audit reports without engineering help?
Yes. Redline's audit dashboard exposes the full per-tenant evidence trail: data flows, vendor BAA status, classification policies, access logs. Export to PDF or CSV for your auditor. The query language is point-and-click; no SQL required for standard auditor questions.
Try Redline in your Merkava workspace.
Hire one Drive or your full executive team.