Trust Center

Security, compliance, and data protection are the foundation of everything we build. ChiroDesk AI is designed from the ground up for healthcare, so you can trust us with your patients' data.

verified_user HIPAA Compliant security SOC 2 Type II lock AES-256 Encryption shield BAA Included

Continuously monitored · Independently audited

Compliance & Certifications

verified_user

HIPAA

Full technical, administrative, and physical safeguards for protected health information.

Compliant
security

SOC 2 Type II

Independent audit of security, availability, and confidentiality controls.

Controls Implemented
phone_callback

TCPA

Consent management and compliance for all outbound patient communications.

Compliant
description

BAA Included

Business Associate Agreement signed with every practice before any data is shared.

Included

Risk Profile

Data Access Level Limited PHI: scheduling data only
Hosting Location United States (AWS us-east-1, us-west-2)
Data Residency All data stored in U.S. data centers
Impact Level Moderate: no clinical or diagnostic data processed

Product Security

check_circle Audit Logging
check_circle End-to-End Encryption
check_circle Role-Based Access Control
check_circle MFA Required
check_circle Penetration Testing
check_circle Vulnerability Scanning

AI-Specific Protections

  • Scheduling only. Our AI handles appointment logistics. It does not provide medical advice, diagnosis, or treatment recommendations.
  • No training on your data. Patient data is never used to train, fine-tune, or improve AI models. Ever.
  • Minimum necessary access. The AI only accesses the minimum patient information needed to complete a scheduling task.
  • Encrypted conversations. All call recordings, transcripts, and text messages are encrypted at rest and in transit.
  • Human oversight. Practices maintain full control and can review all AI interactions at any time.

Security Controls Monitor

Encryption at Rest Monitored
Passing
Encryption in Transit Monitored
Passing
Access Controls Monitored
Passing
Audit Logging Monitored
Passing
Backup & Recovery Monitored
Passing
Incident Response Monitored
Passing
Employee Training Monitored
Passing
Vendor Management Monitored
Passing

Documents

verified_user

HIPAA Compliance Details

How we implement technical, administrative, and physical safeguards to protect PHI.

public Public View document ›
privacy_tip

Privacy Policy

How we collect, use, and protect your information.

public Public View document ›
gavel

Terms of Service

The terms governing use of our platform and services.

public Public View document ›
description

BAA Information

How our Business Associate Agreement protects your patient data.

public Public View document ›

Subprocessors

Company Purpose Data Location
Amazon Web Services (AWS) Cloud infrastructure & data storage United States
Twilio Telephony & SMS United States
ElevenLabs Voice synthesis United States
Anthropic AI language processing United States
Stripe Payment processing United States
Postmark Transactional email United States
Datadog Infrastructure monitoring & logging United States

notifications Subscribe to subprocessor change notifications: security@chirodesk.ai

Infrastructure

ChiroDesk AI is hosted on enterprise-grade U.S.-based cloud infrastructure with:

  • SOC 2 Type II certified data centers (AWS)
  • Redundant power, networking, and storage across multiple availability zones
  • 24/7 physical security with biometric access controls
  • Automatic failover and disaster recovery
  • Real-time infrastructure monitoring via Datadog

Uptime SLA: 99.9% target availability for all production services.

Frequently Asked Questions

Is patient data encrypted?

Yes. All patient data is encrypted with AES-256 at rest and TLS 1.3 in transit. Every call recording, transcript, text message, and database record is encrypted end-to-end. Encryption keys are managed through AWS KMS with automatic rotation.

Do you train AI on our data?

No. Patient data is never used to train, fine-tune, or improve any AI models. Your data is used exclusively to provide the scheduling service to your practice. This is contractually guaranteed in our BAA and Terms of Service.

What happens if there’s a breach?

We maintain a comprehensive incident response plan that includes immediate containment, investigation, and notification. In the event of a breach affecting PHI, we will notify affected practices within 24 hours and work with you on required patient notifications per HIPAA Breach Notification Rule requirements.

Where is our data stored?

All data is stored in SOC 2 certified Amazon Web Services (AWS) data centers located in the United States (us-east-1 and us-west-2 regions). Data never leaves U.S. borders. Each practice’s data is logically isolated. One practice can never access another’s information.

What happens when we cancel?

Upon cancellation, you have 60 days to export your data. After that, all data is permanently deleted from our systems, including backups. We provide written confirmation of data destruction upon request.

Contact Our Security Team

For security inquiries, compliance questions, or to request documentation:

Email: security@chirodesk.ai

To report a security vulnerability, please email security@chirodesk.ai with details. We take all reports seriously and will respond within 24 hours.