Log inTalk to usSee a demo
Security & architecture

Built for the people who have to sign off.

Appelo is a revenue-cycle tool for healthcare, so protecting PHI isn't a feature — it's the architecture. Here's exactly how we treat your patient and claims data, and how we keep your team in control at every step.

Human-in-the-loop by design

Appelo prepares and drafts. A member of your staff reviews and approves every output before anything is submitted. No clinical or coverage decision is ever automated.

Built for HIPAA

PHI is designed to be encrypted in transit and at rest, with role-based, least-privilege access and administrative, physical, and technical safeguards. Controls follow the SOC 2 framework, with independent audit on the roadmap.

Isolated cloud architecture

The app runs on HIPAA-eligible AWS inside a private network. The database is never exposed to the internet, and every tier is reachable only through a hardened, monitored edge.

BAA-backed, end to end

We sign a Business Associate Agreement with every practice we work with — and the AI that drafts your appeals runs under a BAA too, on a covered, HIPAA-ready path.

Never trained on your data

Your patient and claims data is never used to train AI models — ours or our providers'. It is processed to do your work, and for nothing else.

Complete, exportable audit trail

Every AI draft and every human approval is logged with who, what, and when — and exportable for your own compliance review.

How it's built

The architecture, end to end.

Appelo runs on HIPAA-eligible AWS. PHI only travels over encrypted connections through isolated, monitored tiers — and the AI that drafts appeals is reached privately, inside the network.

Clinic staff
Your teamGoogle sign-in, in the browser
HTTPS
Edge — public subnet
Route 53DNSACMTLS certAWS WAFFilters trafficLoad balancerALB
Application — private subnet
ECS FargateNext.js app + AI agentsSecrets ManagerNo secrets in codeAWS KMSEncryption keys
Data — isolated subnet
RDS PostgreSQLEncrypted, Multi-AZ, no public access
AI — private VPC endpoint
Amazon BedrockClaude — PHI stays in-VPC
Audit & logging
CloudTrailInfrastructure accessCloudWatchApp + agent logsAudit trailEvery draft + approval

Encrypted in transit (TLS) and at rest (KMS) · database unreachable from the internet · BAA-covered AWS services only.

Follow a claim

One denied claim, through the whole system.

  1. 1

    Sign in

    Dana (revenue cycle) signs in with Google. The request crosses Route 53, a web application firewall, and the load balancer before it reaches anything.

    Route 53WAFALBTLS
  2. 2

    Load the claim

    The app — running in a private subnet on Fargate — reads the denied knee-arthroscopy claim (CLM-2026-04471, denial CO-197) from the encrypted database.

    ECS FargateRDS PostgreSQLKMS
  3. 3

    Draft the appeal

    The agent sends only the context needed for this appeal to Claude on Amazon Bedrock, over a private VPC endpoint — so the PHI never leaves the AWS network — and the letter streams back with its cited criteria.

    Bedrock (Claude)VPC endpoint
  4. 4

    A person approves

    Dana reviews the draft and the policy citations, edits if needed, and approves. Nothing is submitted automatically — the human makes the call.

    ECS Fargate
  5. 5

    Submit & record

    The approved letter is saved, the submission is recorded, and the AI draft + human approval are written to an immutable, exportable audit trail. Infrastructure access is logged separately in CloudTrail.

    RDS PostgreSQLCloudTrailCloudWatch
AI & your PHI

The AI drafts. A person decides. The data stays covered.

Appelo uses frontier AI to draft appeals and spot documentation gaps — but the model never acts on its own, and the data it sees is handled under contract.

  • Human-in-the-loop. No clinical or coverage decision is automated. Your staff reviews and approves every output before it leaves the building.
  • Runs on Amazon Bedrock. Claude is reached through Bedrock over a private VPC endpoint, covered by our AWS BAA — so PHI never traverses the public internet to a consumer endpoint.
  • No training on your data. The model is used to do the task in front of it, then governed by the agreed retention terms. Your data never trains a model.
  • Data minimization. Only the context needed to draft a given appeal is sent — not your whole record.
Appelo classified denialCO-197 · precertification absent
Appelo drafted appealCLM-2026-04471 · cited LCD L39266
D. Reyes reviewed & approvedCLM-2026-04471 · no edits
Submitted to payerCLM-2026-04471 · logged
Boundaries

Where your data never goes.

Never used to train models

Your data is never used to train AI models — ours or our providers'. It is processed to do your work, then governed by the agreed retention terms.

Never sold or shared

PHI is never sold, rented, or shared with third parties for advertising or any purpose outside delivering the service to you.

Never on uncontrolled hardware

Production PHI lives only inside HIPAA-eligible, access-controlled AWS infrastructure — not on laptops, personal drives, or unmanaged hosts.

Never beyond covered services

Data flows are designed to stay within services covered by a Business Associate Agreement — including the Bedrock path that drafts your appeals.

Bring your security review.

We'd rather walk your team through the architecture up front. Ask for our security overview, BAA template, and data-flow diagram.