// Trust & Security Report
Qventus, Inc.
AI Hospital Operations Platform
Certifications held
2
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.qventus.com“Audit Reports: Qventus-2025-Type 2 SOC 2-Final Report.pdf”
Verify on trust.qventus.com“Audit Reports: Qventus-2025-Type 1 HIPAA-Final Report.pdf — listed under Compliance: HIPAA”
> Show 3 unconfirmed / not-held certifications
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not stated
Data region
United States only. Privacy policy states: 'The Personal Data we collect through the Site will be stored on secure servers in the United States. These third parties are not permitted to transfer your Personal Data outside of the United States.'
OpenAI is listed as a subprocessor on the trust center under the category 'Engineering', suggesting its use is scoped to internal development rather than customer-data processing. No explicit public statement confirms or denies training on customer or patient data. The privacy policy (last updated July 2025) states 'Qventus and its Business Partners reserve the right to continue using de-identified data indefinitely' — identifiable PHI training would violate HIPAA without explicit patient authorization, which Qventus as a covered-entity vendor is bound by. Prospective customers handling PHI should request a Business Associate Agreement and confirm the OpenAI subprocessor scope contractually.
// Security controls
Penetration Testing
External network and Web+API penetration tests conducted October 2025. Reports available under NDA via trust center access request.
trust.qventus.comCloud Infrastructure
Amazon Web Services (AWS) — listed as primary cloud provider subprocessor
trust.qventus.comEncryption
Data encryption in use; encryption key access restricted; SSL/TLS for transit; technical, administrative, and physical safeguards documented
trust.qventus.comAccess Controls
Unique account authentication enforced; production application access restricted; encryption key access restricted
trust.qventus.comEndpoint Security
Anti-malware technology utilized; HIPAA Workstation Security Policy documented
trust.qventus.comIncident Response
Incident Response Plan with HIPAA Addendum and Breach Notification Procedures documented and available in trust center
trust.qventus.comBug Bounty / Vulnerability Disclosure
No public bug bounty program found on HackerOne, Bugcrowd, or qventus.com as of 2026-06-27, and no standalone responsible-disclosure policy page. A dedicated security contact (security@qventus.com) is published on the trust center, providing a direct channel for reporting vulnerabilities.
trust.qventus.comThird-Party Management
Third-Party Management Policy documented and available in trust center
trust.qventus.comData Subprocessors
Amazon Web Services (Cloud provider), Google Workspace (Identity provider), OpenAI (Engineering), GitHub (Version control)
trust.qventus.com// Products & data scope
data: EHR-integrated; processes surgical scheduling data, OR utilization metrics, and service line growth data. PHI in scope for operational automation.
Designed to fill ORs with strategically prioritized surgical cases. Deeply integrated with hospital EHR via bidirectional real-time feed.
data: Processes patient pre-admission data, administrative tasks, and PHI through AI Operational Assistants. PHI in scope.
Claims to reduce surgery cancellations by up to 40%. Each team member receives an AI-powered administrative assistant.
data: Processes inpatient discharge planning data, estimated discharge dates, patient disposition, and ancillary resource orchestration. PHI in scope.
EHR-embedded; generates aggressive but achievable estimated discharge dates by first morning after admission.
data: Cross-cutting automation layer; acts on below-license administrative tasks across all Qventus solutions. PHI in scope.
Takes autonomous action on administrative workflows rather than merely recommending tasks. Underlying AI platform used across all solution products.
data: Platform for co-developing custom AI Operational Assistants with health systems. Data scope varies by custom solution built.
Announced as Qventus's next-wave product for accelerating bespoke AI solution development in partnership with health system customers.
// What to watch
- OpenAI listed as subprocessor under 'Engineering' category — customers handling PHI should request BAA and confirm scope of OpenAI data access contractually
- HIPAA audit report is 'Type 1' (point-in-time attestation), not a full HIPAA Type 2 period-of-time examination — less rigorous than SOC 2 Type 2
- No public bug bounty or formal responsible-disclosure program found, though a dedicated security@qventus.com contact is published on the trust center for vulnerability reports; a structured disclosure policy would be an improvement for a platform of this scale
- No GDPR DPA or explicit GDPR compliance statement found — relevant for any EU data subjects or EU-based health system subsidiaries
- De-identified data retained and usable indefinitely per privacy policy — customers should clarify contractually what 'de-identified' means in their context
- No ISO 27001 or HITRUST certification — both are common expectations for enterprise healthcare vendors handling PHI at scale
// At a glance
Pricing model
Enterprise contract (custom pricing; no public pricing listed; demo required)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Qventus, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.qventus.com