Trust Center

Security & compliance at 1DentalAI

We treat the security and privacy of protected health information as a core product requirement. This Trust Center shows the frameworks we align to, the controls we operate, and the documents you can request under NDA.

36 controls monitored Updated July 1, 2026 security@1dentalai.com
HIPAACompliant

Administrative, physical, and technical safeguards for PHI (45 CFR Part 164).

SOC 2 Type IIIn progress

Security, Availability, Confidentiality, and Privacy trust service criteria.

HITECHCompliant

Breach notification and enhanced HIPAA enforcement alignment.

GDPR / CCPACompliant

Data subject rights, consent, and privacy-by-design principles.

Documents & resources

Request confidential reports under NDA, or download public policies.

SOC 2 Type II Report

Independent auditor report. Available under NDA once the current audit period completes.

HIPAA Compliance Summary

Overview of safeguards mapped to the HIPAA Security Rule.

Penetration Test Report

Latest third-party penetration test executive summary.

Business Associate Agreement

Template BAA for covered entities.

Data Processing Addendum

DPA covering GDPR/CCPA processing terms.

Security Whitepaper

Architecture and security overview.

Privacy Policy

How we collect, use, and protect data.

Controls

Controls are continuously monitored and evidence is collected automatically.
  • Data encrypted at rest (PostgreSQL encryption + S3 server-side encryption)
  • Data encrypted in transit with TLS 1.2+
  • Network firewalls and security groups restrict access
  • Continuous infrastructure monitoring and alerting
  • Automated vulnerability scanning
  • Encrypted, regularly tested database backups
  • High-availability deployment with health checks
  • Least-privilege access to production infrastructure

Policies

Our security and privacy program is governed by documented policies, reviewed regularly. Full copies are available on request.

Information Security Policy

Overarching security program, governance, and control objectives.

SOC 2HIPAA

Access Control Policy

Least-privilege access, RBAC, MFA, and access reviews.

SOC 2 CC6HIPAA §164.312(a)

Incident Response Plan

Detection, triage, containment, and post-incident review.

SOC 2 CC7HIPAA §164.308(a)(6)

Data Retention & Disposal Policy

Retention periods and secure disposal of data including PHI.

HIPAA §164.316

Business Continuity & Disaster Recovery Policy

Backups, RTO/RPO targets, and recovery procedures.

SOC 2 A1HIPAA §164.308(a)(7)

Risk Assessment & Management Policy

How risks are identified, scored, and remediated.

SOC 2 CC3HIPAA §164.308(a)(1)

Vendor & Subprocessor Management Policy

Vendor due diligence, BAAs, and ongoing review.

SOC 2 CC9HIPAA §164.308(b)

Encryption & Key Management Policy

Encryption standards for data at rest and in transit.

HIPAA §164.312(a)(2)(iv)HIPAA §164.312(e)

Change Management Policy

Version control, review, testing, and deployment gates.

SOC 2 CC8

Workforce Security & Training Policy

Onboarding, offboarding, background checks, and HIPAA training.

SOC 2 CC1HIPAA §164.308(a)(5)

Breach Notification Policy

HIPAA/HITECH breach assessment and notification timelines.

HIPAA §164.400-414

Acceptable Use Policy

Rules for using company systems and handling data.

SOC 2 CC1

Subprocessors

Third parties that may process data on our behalf. PHI subprocessors operate under a signed BAA.

SubprocessorPurposeLocationBAA
TelnyxVoice & SMS communicationsUnited States Yes
OpenAIAI engine & transcriptionUnited States Yes
StediEDI clearinghouse (claims/eligibility)United States Yes
DigitalOceanApplication hosting & databaseUnited States Yes
DigitalOcean SpacesObject storage (documents, recordings)United States Yes
StripeBilling & payment processing (no PHI)United StatesN/A
ResendTransactional email (no PHI)United StatesN/A

Questions about our security?

Reach our security team for compliance questionnaires, BAAs, or to report a vulnerability.

Contact security team