lorem
lorem
SAI is fully HIPAA compliant. Every customer receives a Business Associate Agreement as standard -- not on request, not as an upgrade. The minimum necessary principle governs all data access: SAI only processes the data required to generate and store the clinical note.
Business Associate Agreement (BAA) provided to every customer at no additional cost
Minimum necessary principle applied to all data access and processing
Only the clinical note and transcript are retained after encounter completion
HIPAA Breach Notification Rule compliance -- customers notified within required timeframes
24/7 security monitoring
Data Security
01
Encryption
Encryption in transit: TLS 1.3
Encryption at rest: AES-256
Keys managed under a formal encryption and key lifecycle policy
02
Infrastructure
Hosted on AWS US-region infrastructure
HIPAA-eligible AWS services only
Network isolation, firewalls, and intrusion detection
Physical security controls inherited from AWS
03
Access Controls
Role-based access control (RBAC) for clinic admins and clinicians
Multi-factor authentication (MFA) required for all access
Access limited to minimum necessary personnel
04
EHR Integration Security
OAuth 2.0 or SMART on FHIR authentication where supported
No patient data persists outside the agreed integration scope
Data exchange limited to the fields required for note transfer
AI MODEL PRACTICES
Patient data processed through SAI is never used to train foundation AI models without explicit written consent. AI inference runs within HIPAA-eligible infrastructure -- patient information does not leave the compliant environment during processing. All AI generated notes require mandatory physician review before finalization.
Patient data never used to train AI models without explicit written consent
AI inference performed within HIPAA-eligible infrastructure
No PHI transmitted to external model providers outside compliant boundaries
Mandatory physician review of all AI-generated notes before finalization
Data Retention
and Deletion
Data export available in standard formats upon request
Right to deletion: patients and customers can request data removal
Deletion confirmed in writing upon request completion
01
Audio: deleted automatically upon note completion
02
Transcripts and notes: retained per customer-defined retention window
03
Customer can request immediate deletion of their data at any time
04
On cancellation: data accessible for 90 days, then permanently deleted
INDEPENDENT VALIDATION
SOC 2 Type II certified
Report available under NDA on request.
Annual third-party penetration testing
Conducted on a recurring annual basis.
Vulnerability disclosure program
Report security issues to security@saibyscrivas.com
SECURITY DOCUMENTATION
Security & Compliance
Our security team is available to walk through our compliance posture, share documentation, or support your organization’s vendor evaluation process.

