Security

Built for the data your patients trust you with.

HIPAA-eligible infrastructure, encrypted data at rest and in transit, audit logs on every clinical action. Built with HIPAA-aware workflows for the security reviews that come with real revenue.

Encryption and storage

Patient data, encrypted by default.

No raw PHI sits in any database on the platform. Encryption is enforced at write time. Keys rotate on a 90-day schedule. Backups inherit the same posture.

Patient data encrypted at rest in Postgres
TLS 1.3 in transit
PHI fields tokenized where supported
Private uploads via Vercel Blob

patients.row · production

Encrypted

patient.full_name

0xA8 92 4F 17 . . .

AES-256-GCM

patient.dob

0x21 7B 9C 03 . . .

AES-256-GCM

patient.email

0xC4 11 8D 2A . . .

AES-256-GCM

note.soap.body

0x9F 6E 04 BB . . .

AES-256-GCM

payment.last4

**** **** **** 4242

Tokenized via Stripe

IV unique per row · keys rotated every 90 days Verified

Audit log

Every clinical action, recorded.

Every action that touches a patient record writes an audit log entry. Sign-offs, edits, exports, logins, and force-edits all leave a trail. PII is auto-scrubbed from metadata before write.

Every clinical action recorded
PII auto-scrubbed in metadata
Filterable and exportable
7-year retention

Audit log entry

2026-05-12 09:14:02 UTC

actionlead.note_signed

actorDr. K. Walters (provider_user · 0x7C2A)

entitypatient.note · note_id 0x91FF

ip71.204.18.42

user_agentNemira iOS 1.4.2 · iPhone 15 Pro

metadata{ template: 'chiro_v2', duration_ms: 84120, redacted: true }

PII auto-scrubbed before write Retained 7y

Infrastructure

HIPAA-eligible infrastructure, top to bottom.

BAA status shown by vendor for every sub-processor that touches PHI. Annual SOC 2 in progress with a Q3 target. Technical safeguards documented and reviewed every quarter.

BAA status shown by vendor (Stripe, Resend, Vercel, Supabase, OpenAI, Twilio)
Annual SOC 2 audit in progress, Q3 target
HIPAA technical safeguards documented
BAA available on Growth and Enterprise

HIPAA

Eligible

SOC 2

Type II · in progress

BAA

Available on Growth+

US-only

Data residency

Posture

Six controls that matter at security review.

AES-256 encryption

GCM-mode at rest, per-row IVs. Keys rotated every 90 days.

TLS 1.3 in transit

All client and inter-service traffic uses modern TLS only.

Audit logs

Every clinical action recorded. PII scrubbed. 7-year retention.

Role-based access

Provider, practitioner, front desk, admin. Permissions enforced server-side.

SSO

SAML and OIDC support shipping Q4 on the Enterprise tier.

2FA support

TOTP and recovery codes available today. WebAuthn next.

Sub-processors

The full list, who touches what.

No hidden vendors. Every party that handles PHI is named here, with the role they play and BAA status shown by vendor.

Sub-processor	Role	Region	BAA
Stripe	Payments and Connect onboarding	US	Executed
Resend	Transactional email	US	Executed
Twilio	SMS and 10DLC messaging	US	Executed
OpenAI	Voice transcription via Whisper	US-only API	Executed
Supabase	Managed Postgres and auth	US	In progress
Vercel	Hosting and edge	Global, US data plane	Executed

✦ Patient data never leaves US borders by default

Compliance

Security review coming up?

We respond to security questionnaires and BAA requests inside one business day. Most clinics clear review on the first pass.

Request a BAA See trust center

HIPAA-eligible infrastructure, top to bottom.

BAA status shown by vendor for every sub-processor that touches PHI. Annual SOC 2 in progress with a Q3 target. Technical safeguards documented and reviewed every quarter.

BAA status shown by vendor (Stripe, Resend, Vercel, Supabase, OpenAI, Twilio)

Annual SOC 2 audit in progress, Q3 target

HIPAA technical safeguards documented

BAA available on Growth and Enterprise

Sub-processor

Role

Region

BAA

Stripe

Payments and Connect onboarding

Executed

Resend

Transactional email

Executed

Twilio

SMS and 10DLC messaging

Executed

OpenAI

Voice transcription via Whisper

US-only API

Executed

Supabase

Managed Postgres and auth

In progress

Vercel

Hosting and edge

Global, US data plane

Executed