Your records never train an AI model. Ever.
Not ours, not a vendor's, not "de-identified for research." Your files are processed to produce your outputs, and that is the end of their journey. This is contractual — it's in the BAA — not a settings toggle.
Six controls your reviewer will ask about.
TLS 1.2+ in transit, AES-256 at rest — every file, every environment.
HIPAA-minimal by default: people see only the cases assigned to them. Nothing else exists for them.
Every PHI access event is logged — who, what, when — and exportable for your own audits, appeals, and records requests.
Token-validated sessions with strict expiry handling — no shared credentials, anywhere.
Controls documentation and evidence packages maintained audit-ready — available under NDA.
Every output cited, reviewable, and traceable to its source. AI does the reading; your experts make the calls.
Deployment & integration
For carriers, TPAs, and public-sector programs deploying at scale.
Secure REST API and CRM token exchange — no shared credentials — with outbound webhooks into your case-management and claims systems.
Per-feature, per-file metering — bill costs back to a case, a client program, or a desk.
Retention controls, de-identified export for sharing without exposing PHI, and deletion on request.