Most CRM platforms treat HIPAA as a tier upgrade. A "secure" plan at 2x the regular price, with a few extra features bolted on. That model creates a two-track product, where the compliance posture is a marketing line, not an architectural one.
Lumè doesn't have a "secure tier." Every customer is on the HIPAA-compliant architecture because there's only one architecture. Tenant isolation, role-based permissions, audit logging, and PHI containment are foundational. They're built into the models and the middleware, not patched on as an upsell.
What "HIPAA-compliant" means here
The product is built on a SOC 2-aligned spine: least privilege, traceability, change management, separation of duties. Production runs on AWS services covered by a Business Associate Agreement. Postgres is KMS-encrypted at rest. Email goes through SES with the right SPF, DKIM, and DMARC posture. Backups are encrypted, key rotation is automated, access is logged.
The product also makes the hard choice consistently. Email containing PHI (a signed-consent copy, for example) sends only when an operator initiates it, because automated PHI delivery would require per-customer authorization most spas don't capture today. CSV exports of per-customer data fire a confirmation gate before the download. Every confirmation is logged.
Production posture
Production runs on AWS under a signed BAA. Postgres encrypted at rest with KMS. Backups encrypted, key rotation automated. SES handles email with DKIM, SPF, and DMARC configured. Audit log tables are append-only at the database trigger level. UPDATE and DELETE statements are rejected.
SOC 2 Type II is in progress. We can share the in-progress audit scope and a list of mapped controls on request.