Security & HIPAA

We hold what they trusted you with — carefully.

Under HIPAA we're a Business Associate. We sign a Business Associate Agreement with every practice, and every vendor that helps us run things has signed one with us in turn. This page describes how that works, in plain language.

Encryption
A key unique to your practice
Record-keeping
Six years of who-touched-what
Vendor chain
A BAA with every vendor that touches PHI
01 / Encryption

Each practice gets its own key.

Every email body and every detail we pull from it is locked up at rest with a key that belongs to your practice. No other tenant's key can open your records, and our master key can only unlock yours with your key present.

When you eventually leave us, we destroy your key — in a way that we ourselves can't undo. The encrypted records become permanently unreadable. Departure is one click in Settings.

All connections are encrypted in transit too. Outbound mail goes over TLS.

How it’s keptillustrative
A new email arriveslocked with your key
your keylives behind our master key
locked recordstored as bytes
we wrote it downkept in the audit, no contents
02 / Record-keeping

Every time we touch your data, we write it down.

When a record is read, written, sent in a digest, replied to, or exported, a row appears in your audit. You can see your own audit any time in Settings — what was touched, when, and by whom.

The audit contains only what happened — never the contents of an email, never a client's name, never any words they wrote. We keep the record for six years, the HIPAA Security Rule retention period.

audit_log · last_24hillustrative
13:33:31INTAKE_CREATED
ok
13:33:31INTAKE_AUTO_REPLY_SENT
ok
13:33:30EMAIL_FETCHED
ok
13:13:54INTAKE_CREATED
ok
13:13:54INTAKE_VIEWED
ok
13:13:53INTAKE_AUTO_REPLY_SENT
ok
13:00:01CRON_RAN
ok
11:42:08USER_LOGIN
ok
03 / The vendors who help us

Named, and named publicly.

No vendor ever sees your clients' words without a signed Business Associate Agreement — that's a launch gate, not an aspiration, and we publish exactly which signatures are in place rather than rounding up. The full, current list lives at /legal/subprocessors and changes whenever the people we work with change.

AWSBAA on file
hosting · KMS · SES
signed
Claude on AWS BedrockBAA on file
LLM extraction
under AWS BAA
Google WorkspaceBAA on file
intake mailbox (Gmail)
signed
Neonno PHI path
Postgres database
signing pre-launch
Stripeno PHI path
billing only
no PHI
GitHubno PHI path
source code
no PHI
04 / The lines we won't cross

What we won't do — not now, not ever.

  • Write any client’s words or name into a log we can read.
  • Load behavioral or advertising trackers on pages where you’re signed in.
  • Show your data to any other practice, ever.
  • Use your clients’ words to train an AI — ours, Anthropic’s, or anyone’s.
  • Add a vendor that might see private records without a BAA on file first.
  • Send marketing email to your prospective clients.
05 / If something goes wrong

You hear from us within 24 hours.

If your clients' records are ever accessed by someone who shouldn't have, we'll tell you within 24 hours — so you have time to meet your own 60-day notification window without scrambling.

We have a written response procedure with a named owner at every step: detect, contain, understand, notify, and learn. The plan is referenced in your BAA and we update it after every drill.

If something happensillustrative
  1. T+0Detect: we see the alert or you tell us
  2. T+15mContain: isolate what’s affected, change keys
  3. T+1hUnderstand: who’s touched, what’s exposed
  4. T+24hTell you: an email to every affected practice, and a phone call if it’s urgent
  5. T+7dLearn: a written debrief — what happened, why, and what changes

Read the BAA before you sign up.

We'd rather you take time with the contract than trust a badge. Download a draft and read it over; we'll work with you on addenda if your state or board requires.