Security & Trust

Your data stays controlled.

We build AI for regulated businesses, so we treat your data the way you have to. Here is the short version of how we keep it protected. The full security packet is available on request.

The model

A human approves before anything leaves the building.

Our systems are built around human-in-the-loop review. AI does the repetitive work; a licensed person on your team reviews and approves before anything reaches a client or a payer. We do not deploy autonomous AI that sends client communications or submits claims on its own. You stay the data controller and the responsible professional. We act on your instructions and build to the controls your compliance function specifies.

Where your data lives

Encrypted infrastructure, restricted access.

  • Data is encrypted in transit (HTTPS / TLS) and at rest by our infrastructure providers.
  • Our application and database run on infrastructure from providers that maintain industry-standard security certifications (Vercel and Supabase).
  • Database credentials and API keys live only in encrypted server-side environments. No privileged keys are ever exposed in the browser.
  • Access to client data is restricted to the people who need it to do the work, and revoked when an engagement ends.
  • We request only the data a given workflow actually needs, and we do not use your data to train third-party foundation models.
Agreements

The paperwork your compliance team expects.

  • We sign a Data Processing Agreement (DPA) for engagements that involve personal data.
  • For engagements that involve protected health information (PHI), we put a Business Associate Agreement (BAA) in place before any PHI is processed.
  • Every engagement is governed by a written services agreement that defines scope, responsibilities, retention, and what happens to your data when we are done.
  • On request or at the end of an engagement, we return or delete your data and confirm it in writing.
Straight talk

What we will not pretend.

We are an implementation firm, not a certification body. We do not hold our own SOC 2 today, and if you ask, we will tell you that plainly rather than imply otherwise. We do not guarantee the outcome of any audit or examination; the licensed professional remains accountable for what goes out under their name. What we do guarantee is that the governance, the human review, and the records are real and built in from day one.

For a deeper review

Request the full security packet.

Data-flow diagram, subprocessor list, retention and incident-response terms, and our DPA and BAA templates. We will walk your compliance team through it.

Book a free fit call →

This page is a summary. It does not constitute a contract, a warranty, or legal advice. Specific security and compliance terms are set out in the written agreements for each engagement.