Security & HIPAA
We engineer PHI out of our process.
Patient information never enters our platform. Our audit intake captures only clinic name, URL, and contact email. We sign a BAA on request.
HIPAA-Ready
PHI is engineered out of our intake. We don't receive, process, or store patient information.
BAA on Request
We sign a Business Associate Agreement for any client who requires one. Template available at /legal/baa.
No PHI in Slack
Our Slack-native workflow is explicitly designed to exclude patient information from all messages.
Sub-processor list
Last updated: May 2026. We will notify clients of material changes to this list with 30 days' notice.
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| Cloudflare, Inc. | Pages hosting, Workers runtime, CDN, DDoS protection, Turnstile bot protection, DNS, R2 object storage | US | DPA |
| Neon, Inc. | Postgres database (audit submission metadata and operator data, no PHI) | US | DPA |
| Anthropic, PBC | Content generation engine (no PHI transmitted) | US | DPA |
| Slack Technologies, LLC | Internal workflow + operator notifications (no PHI transmitted) | US | DPA |
| Google LLC | PageSpeed Insights API, Google Business Profile API (audit signal collection, no PHI) | US | DPA |
| Airtable, Inc. | Internal project management (no PHI) | US | DPA |
| Stripe, Inc. | Payment processing | US | DPA |
Documents
Security questions? [email protected]