We treat the security and privacy of protected health information as a core product requirement. This Trust Center shows the frameworks we align to, the controls we operate, and the documents you can request under NDA.
Administrative, physical, and technical safeguards for PHI (45 CFR Part 164).
Security, Availability, Confidentiality, and Privacy trust service criteria.
Breach notification and enhanced HIPAA enforcement alignment.
Data subject rights, consent, and privacy-by-design principles.
Request confidential reports under NDA, or download public policies.
SOC 2 Type II Report
Independent auditor report. Available under NDA once the current audit period completes.
HIPAA Compliance Summary
Overview of safeguards mapped to the HIPAA Security Rule.
Penetration Test Report
Latest third-party penetration test executive summary.
Business Associate Agreement
Template BAA for covered entities.
Data Processing Addendum
DPA covering GDPR/CCPA processing terms.
Security Whitepaper
Architecture and security overview.
Privacy Policy
How we collect, use, and protect data.
Our security and privacy program is governed by documented policies, reviewed regularly. Full copies are available on request.
Information Security Policy
Overarching security program, governance, and control objectives.
Access Control Policy
Least-privilege access, RBAC, MFA, and access reviews.
Incident Response Plan
Detection, triage, containment, and post-incident review.
Data Retention & Disposal Policy
Retention periods and secure disposal of data including PHI.
Business Continuity & Disaster Recovery Policy
Backups, RTO/RPO targets, and recovery procedures.
Risk Assessment & Management Policy
How risks are identified, scored, and remediated.
Vendor & Subprocessor Management Policy
Vendor due diligence, BAAs, and ongoing review.
Encryption & Key Management Policy
Encryption standards for data at rest and in transit.
Change Management Policy
Version control, review, testing, and deployment gates.
Workforce Security & Training Policy
Onboarding, offboarding, background checks, and HIPAA training.
Breach Notification Policy
HIPAA/HITECH breach assessment and notification timelines.
Acceptable Use Policy
Rules for using company systems and handling data.
Third parties that may process data on our behalf. PHI subprocessors operate under a signed BAA.
| Subprocessor | Purpose | Location | BAA |
|---|---|---|---|
| Telnyx | Voice & SMS communications | United States | Yes |
| OpenAI | AI engine & transcription | United States | Yes |
| Stedi | EDI clearinghouse (claims/eligibility) | United States | Yes |
| DigitalOcean | Application hosting & database | United States | Yes |
| DigitalOcean Spaces | Object storage (documents, recordings) | United States | Yes |
| Stripe | Billing & payment processing (no PHI) | United States | N/A |
| Resend | Transactional email (no PHI) | United States | N/A |
Reach our security team for compliance questionnaires, BAAs, or to report a vulnerability.
Contact security team