Security & Trust Center

Data Encryption

Every byte of data in our platform is encrypted, whether it is sitting in a database or moving across the network.

• At Rest — All data is encrypted using AES-256, the same standard used by financial institutions and government agencies. Encryption keys are managed through AWS Key Management Service with automatic rotation.
• In Transit — All connections are secured with TLS 1.3, the latest and most secure transport layer protocol. Older TLS versions are disabled entirely.
• HSTS Enforcement — HTTP Strict Transport Security is enforced on all endpoints, preventing protocol downgrade attacks and ensuring browsers always connect securely.

Authentication

Strong authentication is your first line of defense. We enforce rigorous authentication standards for every user.

• Mandatory MFA — Multi-factor authentication is required for all user accounts. We support authenticator apps and hardware security keys.
• Session Timeouts — Inactive sessions are automatically terminated after 15 minutes, reducing the risk of unauthorized access from unattended devices.
• Account Lockout — Accounts are temporarily locked after repeated failed login attempts to prevent brute-force attacks. Unlock requires identity verification.

Access Controls

Access to data is tightly scoped so that users only see what they need to perform their role.

• Role-Based Access Control (RBAC) — Granular permissions are assigned based on role: dentist, office manager, billing specialist, and administrator each have tailored access levels.
• Practice-Level Isolation — Each dental practice operates within a logically isolated environment. There is no cross-practice data access, even for multi-location groups unless explicitly configured.
• Minimum Necessary Principle — Access to PHI is restricted to the minimum amount necessary for each function, in compliance with HIPAA requirements.

AI Data Handling

Our AI pipeline is designed with privacy at its core. Patient identifiers never reach our language models.

• De-identification Before Processing — All data is de-identified before being sent to AI models. Patient names, dates of birth, member IDs, and all 18 HIPAA identifiers are stripped prior to transmission.
• No PHI Sent to LLM — Our large language model provider (Anthropic) never receives Protected Health Information. AI processing operates exclusively on de-identified clinical data.
• HIPAA Safe Harbor Method — De-identification follows the Safe Harbor method defined in 45 CFR 164.514(b)(2), removing all 18 categories of identifiers with no reasonable basis to believe the information can be re-identified.

Audit Logging

Comprehensive audit trails provide full visibility into every interaction with patient data.

• Complete PHI Access Logging — Every access, view, modification, export, and deletion of PHI is recorded with timestamp, user identity, action type, and affected records.
• 6-Year Retention — Audit logs are retained for a minimum of six years, satisfying HIPAA documentation requirements under 45 CFR 164.530(j).
• Immutable Logs — Audit logs are stored in append-only, tamper-resistant storage. Logs cannot be modified or deleted by any user, including administrators.

Infrastructure

Our infrastructure is hosted on AWS and designed for resilience, compliance, and performance.

• AWS Regions — All data is hosted in AWS us-east-1 (N. Virginia) and us-west-2 (Oregon), both within the United States. No data is stored or processed outside the U.S.
• HIPAA-Eligible Services— We exclusively use AWS services that are covered under AWS's Business Associate Agreement and designated as HIPAA-eligible.
• Encrypted Backups — Full database backups are performed daily, encrypted with AES-256, and stored in a separate AWS region for disaster recovery.

Compliance

We maintain a rigorous compliance program and continuously invest in meeting and exceeding industry standards.

• HIPAA Compliance — We are fully HIPAA compliant and execute Business Associate Agreements with all customers and subprocessors.
• SOC 2 Type II (In Progress) — We are actively pursuing SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria.
• Annual Risk Assessments — We conduct comprehensive security risk assessments annually in accordance with 45 CFR 164.308(a)(1)(ii)(A), with remediation tracking for all identified findings.

Subprocessors

We carefully vet every third-party provider that handles data on our platform.

Incident Response

We maintain a documented incident response plan that is tested and updated regularly.

• Documented Plan — Our incident response plan covers identification, containment, eradication, recovery, and post-incident review with defined roles and escalation paths.
• 60-Day Breach Notification — In the event of a breach involving unsecured PHI, affected Covered Entities are notified within 60 days in accordance with the HIPAA Breach Notification Rule.
• 24/7 Security Monitoring — Continuous monitoring with automated alerting detects anomalous behavior, unauthorized access attempts, and potential threats around the clock.

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you believe you have discovered a security issue in our platform, please contact us at security@aidentalclaims.com. We ask that you give us reasonable time to investigate and address reported vulnerabilities before making any public disclosure. We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours.