// Trust & Security Report

    Qventus, Inc. logo

    Qventus, Inc.

    AI Hospital Operations Platform

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Audit Reports: Qventus-2025-Type 2 SOC 2-Final Report.pdf

    Verify on trust.qventus.com
    HIPAA
    HELD

    Audit Reports: Qventus-2025-Type 1 HIPAA-Final Report.pdf — listed under Compliance: HIPAA

    Verify on trust.qventus.com
    > Show 3 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED
    HITRUST
    NOT CONFIRMED
    FedRAMP
    NOT CONFIRMED

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not stated

    Data region

    United States only. Privacy policy states: 'The Personal Data we collect through the Site will be stored on secure servers in the United States. These third parties are not permitted to transfer your Personal Data outside of the United States.'

    OpenAI is listed as a subprocessor on the trust center under the category 'Engineering', suggesting its use is scoped to internal development rather than customer-data processing. No explicit public statement confirms or denies training on customer or patient data. The privacy policy (last updated July 2025) states 'Qventus and its Business Partners reserve the right to continue using de-identified data indefinitely' — identifiable PHI training would violate HIPAA without explicit patient authorization, which Qventus as a covered-entity vendor is bound by. Prospective customers handling PHI should request a Business Associate Agreement and confirm the OpenAI subprocessor scope contractually.

    // Security controls

    Penetration Testing

    External network and Web+API penetration tests conducted October 2025. Reports available under NDA via trust center access request.

    trust.qventus.com

    Cloud Infrastructure

    Amazon Web Services (AWS) — listed as primary cloud provider subprocessor

    trust.qventus.com

    Encryption

    Data encryption in use; encryption key access restricted; SSL/TLS for transit; technical, administrative, and physical safeguards documented

    trust.qventus.com

    Access Controls

    Unique account authentication enforced; production application access restricted; encryption key access restricted

    trust.qventus.com

    Endpoint Security

    Anti-malware technology utilized; HIPAA Workstation Security Policy documented

    trust.qventus.com

    Employee Screening

    Employee background checks performed

    trust.qventus.com

    Cybersecurity Insurance

    Cybersecurity insurance maintained

    trust.qventus.com

    Incident Response

    Incident Response Plan with HIPAA Addendum and Breach Notification Procedures documented and available in trust center

    trust.qventus.com

    Disaster Recovery

    Disaster Recovery Exercise Report available in trust center

    trust.qventus.com

    Bug Bounty / Vulnerability Disclosure

    No public bug bounty program found on HackerOne, Bugcrowd, or qventus.com as of 2026-06-27, and no standalone responsible-disclosure policy page. A dedicated security contact (security@qventus.com) is published on the trust center, providing a direct channel for reporting vulnerabilities.

    trust.qventus.com

    Third-Party Management

    Third-Party Management Policy documented and available in trust center

    trust.qventus.com

    Data Subprocessors

    Amazon Web Services (Cloud provider), Google Workspace (Identity provider), OpenAI (Engineering), GitHub (Version control)

    trust.qventus.com

    // Products & data scope

    Surgical Growth SolutionAI Healthcare Operations / Surgical Services

    data: EHR-integrated; processes surgical scheduling data, OR utilization metrics, and service line growth data. PHI in scope for operational automation.

    Designed to fill ORs with strategically prioritized surgical cases. Deeply integrated with hospital EHR via bidirectional real-time feed.

    Perioperative Care Coordination SolutionAI Healthcare Operations / Pre-Admission Testing

    data: Processes patient pre-admission data, administrative tasks, and PHI through AI Operational Assistants. PHI in scope.

    Claims to reduce surgery cancellations by up to 40%. Each team member receives an AI-powered administrative assistant.

    Inpatient Capacity SolutionAI Healthcare Operations / Patient Flow

    data: Processes inpatient discharge planning data, estimated discharge dates, patient disposition, and ancillary resource orchestration. PHI in scope.

    EHR-embedded; generates aggressive but achievable estimated discharge dates by first morning after admission.

    AI Operational AssistantsAI Agent / Healthcare Automation

    data: Cross-cutting automation layer; acts on below-license administrative tasks across all Qventus solutions. PHI in scope.

    Takes autonomous action on administrative workflows rather than merely recommending tasks. Underlying AI platform used across all solution products.

    AI Solution FactoryAI Co-development Platform / Healthcare

    data: Platform for co-developing custom AI Operational Assistants with health systems. Data scope varies by custom solution built.

    Announced as Qventus's next-wave product for accelerating bespoke AI solution development in partnership with health system customers.

    // What to watch

    • OpenAI listed as subprocessor under 'Engineering' category — customers handling PHI should request BAA and confirm scope of OpenAI data access contractually
    • HIPAA audit report is 'Type 1' (point-in-time attestation), not a full HIPAA Type 2 period-of-time examination — less rigorous than SOC 2 Type 2
    • No public bug bounty or formal responsible-disclosure program found, though a dedicated security@qventus.com contact is published on the trust center for vulnerability reports; a structured disclosure policy would be an improvement for a platform of this scale
    • No GDPR DPA or explicit GDPR compliance statement found — relevant for any EU data subjects or EU-based health system subsidiaries
    • De-identified data retained and usable indefinitely per privacy policy — customers should clarify contractually what 'de-identified' means in their context
    • No ISO 27001 or HITRUST certification — both are common expectations for enterprise healthcare vendors handling PHI at scale

    // At a glance

    Pricing model

    Enterprise contract (custom pricing; no public pricing listed; demo required)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Qventus, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.qventus.com

    > Browse all vendor trust reports