Querri Achieves HIPAA Compliance and ISO 27001:2022 Certification

Last year, when we announced SOC 2 Type II compliance, I wrote about what it meant to have our security controls independently verified. Not just documented, but tested over time. It mattered then.

Today we're going further. Querri is now HIPAA compliant and ISO 27001:2022 certified.

I want to explain why we pursued both, what they actually mean in practice, and what changes for the teams and companies using Querri because of them.

Why These Two, Why Now

The honest answer: because the companies we're building for need them.

Querri was always meant to be more than a tool for individual analysts. We're building something that works for whole teams and organizations, where multiple people across different roles can access the same data, ask their own questions, and trust what they're seeing. That kind of shared access is powerful. It also raises the bar for what security has to mean.

When a company starts to rely on Querri more seriously, connecting more of their data, sharing it with more of their team, making decisions based on it, they're putting real trust in us. We don't take that lightly. These certifications are part of how we grow alongside our customers. As their needs evolve, we want to be ready, not catching up.

HIPAA and ISO 27001:2022 are the right next step for that. And they're different in what they address.

What HIPAA Compliance Means for Your Data

HIPAA is most closely associated with healthcare, but its relevance is broader. Any organization that handles protected health information (PHI), whether that's an insurance company, a benefits administrator, an HR platform, or any business that touches employee health data, needs its tools to meet HIPAA's requirements.

HIPAA compliance means Querri meets the specific technical, administrative, and physical safeguards that govern how PHI can be stored, processed, and accessed. In practice: data is encrypted at rest (AES-256) and in transit (TLS), access is controlled and logged at the individual user level, each customer's data is isolated within its own tenant and never crosses into another account, and audit trails track every access and change with tamper-resistant logging.

If you work in a regulated industry, or if your organization holds sensitive personal information that warrants the same level of care, HIPAA compliance gives you a verified, standardized answer to whether Querri handles your data appropriately.

What ISO 27001:2022 Means

ISO 27001 is different from HIPAA in an important way. HIPAA is a regulatory standard focused on a specific category of data. ISO 27001:2022 is a management system standard. It certifies that Querri has a systematic, documented, and continuously improving approach to information security across the whole organization.

The 2022 revision is worth calling out specifically. It updated the standard's controls to address modern realities: cloud security, supply chain risk, and threat intelligence. These aren't abstract concerns for a SaaS platform. They're exactly the categories where the risk is highest and where a vague "we take security seriously" assurance doesn't cut it.

ISO 27001:2022 certification means an independent auditor has verified that our information security management system meets that standard. That covers how we identify risks, apply controls, respond to incidents, and train our team.

Three Certifications, One Foundation

With SOC 2 Type II already in place, these two certifications complete a framework that covers the security questions enterprise teams ask most often.

SOC 2 Type II answers: are your operational controls working, and have they been working consistently over time? HIPAA answers: can you handle sensitive personal data in a compliant way? ISO 27001:2022 answers: is your organization's approach to information security systematic and mature?

No single certification answers everything, but together they provide a level of verification that's meaningful to security teams, procurement teams, and the companies that need to sign off on the tools their employees use.

Security That's Built Into How the Product Works

Certifications describe our organization's security posture. But I also want to be direct about what that looks like inside the product itself, because it's not incidental to how Querri works.

Querri's security model is built around a simple principle: your data is private by default, and you control exactly what gets shared and with whom.

When a team member creates a project, uploads data, or connects a source, it's theirs alone. Nobody in your organization can see it unless they explicitly share it. From that foundation, you layer in as much governance as your organization actually needs. Sharing controls let you decide who can view or edit each project, dashboard, data source, view, and connector. Access policies apply row-level security so each person automatically sees only the data they should. Organizations create hard boundaries between departments that need complete data isolation. And the audit log keeps a complete record of every security-relevant action across the organization.

You can read through the full model in our security and governance documentation. If you're a procurement or security team evaluating Querri, the sections on access policies and workspaces are probably where you want to start.

What This Means If You're Running Teams on Querri

We're building Querri to work for organizations, not just individual users. Teams that need data accessible to the right people and protected from the wrong ones, without requiring an IT project every time someone needs a new report.

These certifications are part of that commitment. They're not marketing. They're the documented, independently verified answer to what we've built and how we operate. If your security team needs something concrete to review, this is it.

Request Our Compliance Reports

We share our SOC 2 Type II, HIPAA, and ISO 27001:2022 compliance reports under NDA with customers, partners, and prospects who want to review them. Contact security@querri.com to request access, or visit our Trust Center to learn more.

If you have specific questions about how any of these certifications apply to your organization's requirements, I'm happy to talk through them directly.