Security & HIPAA

How we protect your practice's data.

DentalOps is built for a regulated industry. Security and compliance are first-class product features, not afterthoughts. This page is what we have in place today and what we're delivering next.

Status, May 2026: HIPAA BAA-ready from day one. SOC 2 Type 1 audit in progress, expected complete Q3 2026. Email us with any specific questions.

HIPAA

We sign a Business Associate Agreement (BAA) with every customer practice as standard, before any patient data touches our systems. Our infrastructure is designed to meet the HIPAA Security Rule's administrative, physical, and technical safeguards.

BAAs with subprocessors

Every system that touches PHI is contractually bound by its own BAA:

AnthropicClaude API. BAA executed.
AWSCompute and storage. BAA executed (HIPAA-eligible services only).
StripePatient payment processing. Stripe HIPAA tier.
TwilioSMS, voice, fax. Twilio for Healthcare BAA.
Google WorkspaceInternal communications. BAA executed for healthcare data flow.

Technical safeguards

Encryption in transitTLS 1.3 on every external connection. HSTS preload on dentalops.dev.
Encryption at restAES-256 for any stored PHI. Per-customer key isolation.
Audit loggingEvery agent action against PHI is logged with user, timestamp, scope, and outcome.
AuthenticationSSO via Google Workspace. MFA required for every admin and operator account.
Auto-logoff15-minute idle timeout on all interfaces.
Least-privilege accessRole-based permissions. Patient-scope guardrails on every subagent.

SOC 2 Type 1

Our SOC 2 Type 1 audit is in progress with a Big Four-affiliated CPA firm. Expected report delivery: Q3 2026. Type 2 monitoring window begins immediately after Type 1 completion.

Customers and prospective customers can request a security questionnaire response, Trust Center summary, or our pen test report by emailing hello@dentalops.dev.

Data isolation

Each practice operates in its own logical tenant with isolated data, eligibility cache, and agent memory. No PHI is shared across customers. Aggregate priors used for the public leak audit are derived from non-PHI industry sources (ADA Survey, ai.dentist 2026 RCM benchmark) and from explicitly-consented anonymized customer data.

Incident response

We maintain a written incident response plan and a 60-day breach-notification window consistent with HIPAA requirements. Customer-facing breach notifications use a published template that we'll share on request.

Suspected security issue? Please email hello@dentalops.dev with the subject line "Security issue report." We acknowledge within 24 hours.

Reporting

On request, customers receive:

BAAExecuted copy on letterhead.
Subprocessor listCurrent snapshot with BAA dates.
Quarterly access reviewWho at DentalOps had access to your tenant, when, and why.
Audit log exportFull agent action log for any case or date range.

Review our BAA template →

Last updated: 2026-05-01