HIPAA-defensible by default. Auditable on demand.
PHI is redacted before it ever reaches an AI model. Every PHI read writes to an append-only audit log. BAA included on every paid tier and on the Deaf-owned tier — signed in days, not weeks.
What the AI never sees, raw.
Redacted before the model sees it
- Consumer names → initials only.
- Free-text clinical notes → regex + NER scrub.
- Phone numbers, MRNs, DOBs, SSNs → token-replaced for the model; hydrated client-side after the response.
- Executive-session and paused-mic portions → never captured, never transcribed.
Implementation: lib/redact.ts redactForModel(). Every model call writes an AI_Audit row with input/output hashes.
Per-tenant prompt-cache isolation
Every model call begins with tenant_id: <id> in the system prompt. The model provider's prompt-caching keys on prefix, which means cache hits cannot cross tenant boundaries even if two prompts are otherwise identical.
Tamper-evident, kept for years, and yours to export.
Every record opened
Whenever someone — interpreter, scheduler, requestor — opens a record with patient details in it, the log notes who, what, when, and why.
Kept seven years
The log can only be added to. Entries can't be edited or deleted by anyone, and it's held for seven years.
Can't be quietly changed
Each entry is sealed to the one before it. If anything is altered after the fact, that seal breaks and the next check catches it.
Security-log export
On the Network plan, the audit log streams into your own security tooling. The format is documented and stays steady.
Subject access
Consumers can request their own access log under HIPAA's right of access. The response is a redacted PDF, ready in 30 days or less.
Tenant export
Your full audit log exports with your other data. CSV or JSON. Same one-click button.
Encrypted at rest and in transit. Tenant-isolated.
- At rest (v1): Per-tenant access controls plus initials-only mode for clinical fields. Records are protected and access-logged; column-level AES is on the roadmap, not in v1.
- In transit: TLS 1.3 everywhere. HSTS preload submitted; Strict-Transport-Security with includeSubDomains and preload directive.
- Tenant-isolated records: A signed BAA covers the per-agency record store. Each tenant's records have their own access controls and audit log.
- Receipt storage: Encrypted object storage with per-tenant prefixes; tracked publicly in the changelog.
- Tenant isolation: Durable Objects named
AgencyHub:<tenant_id>. KV keys prefixed<tenant_id>:. Prompt-cache keyed by tenant_id so model cache hits cannot cross tenants.
7-tier role hierarchy. Magic-link sign-in. 7-day invitation TTL.
Seven roles, role-scoped UI
platform_staff → owner → manager → scheduler, interpreter, client_contact, requestor_contact, billing_contact. The role on the invite scopes everything that user sees in /app/.
Role-scoped invitation allowlist
Managers can invite the five contact-tier roles, but not other managers. Only owners create managers. The allowlist is enforced server-side; the UI in /app/settings/team just reflects it.
No passwords
Magic-link sign-in only. Invitation tokens live 7 days, then expire. Sessions are agency-scoped; multi-agency users pick which tenant on landing.
Two-party consent. RECORDING indicator. PAUSE.
Maryland is a two-party-consent state, and most of our audiences are mixed-hearing PSAs / boards / conferences. We apply the strictest rule everywhere, not just in Maryland.
- Announce. Every audio-recorded session announces — verbally and visually — at start.
- Consent at check-in. Every attendee gives explicit consent, default unchecked.
- RECORDING indicator on every shared screen for the duration.
- One-tap PAUSE for the chair / host — executive session, off-the-record, personnel matters.
- Non-consenting lines flagged in the transcript, redacted from any public output.
Defaults you don't have to ask for.
| Data type | Default retention | What happens after |
|---|---|---|
| Raw audio | 30 days | Auto-delete (cannot be extended without legal review) |
| Transcript (timed, machine-readable) | 1 year | Archive (cold storage, restorable on request) |
| Approved minutes / human-edited summary | Permanent | This is the legal record |
| Executive-session / paused-mic portions | Never captured | Cannot be retroactively recorded |
| Audit log | 7 years | Add-only, tamper-evident, then archived |
| Operational data (jobs, invoices, etc.) | As long as you're a customer | One-click export on cancellation |
Where we are — honest about the timeline.
HIPAA
BAA executed. Technical, administrative, and physical safeguards documented. Annual risk assessment.
SOC 2
Type I targeted for Q4 2026; Type II for Q3 2027. We won't claim a Type II we don't have. Status is on this page when it changes.
GDPR / UK GDPR
DPA available on request. EU/UK customers gated behind data-residency review until our EU presence is set up.
FERPA
School-district customers have a FERPA-compatible DPA covering student records. K-12 settings default to no recording.
Accessibility (Section 508 / WCAG)
Built to the recognized standards from the first screen. The formal statement is on the accessibility page.
PCI
No card data touches our servers. Payments are processed end-to-end by Stripe. We hold tokens, not PANs.
Need the BAA? It takes days, not weeks.
Either path gets you to a real person within one business day.