SECURITY & HIPAA

Built for healthcare. A BAA before any data moves.

You're handing a vendor access to claim data. We treat that seriously: a signed Business Associate Agreement first, the minimum necessary data, encrypted and audit-logged — and a written promise to never sell it or train AI on it.

BAA before any data

We sign a Business Associate Agreement before we access a single claim. No data moves before the paper does.

Minimum necessary

We take only denial and remittance data (EOB/835) — not your full charts. For an appeal that needs a note, only that one note, for that one claim.

Encrypted in transit & at rest

We use industry-standard encryption — including AES-256 for data at rest and TLS in transit — and apply application-layer encryption to PHI fields.

Access audit-logged

Reads, exports, and transmissions of claim data are recorded in a tamper-resistant audit log, which we monitor for anomalous access.

Never sold

Your practice and patient data is never sold, licensed, or shared for marketing. In writing, in the BAA.

Never used to train AI

Your data is never used to train or improve any AI model — ours or a vendor's. We require no-training terms from every AI subprocessor.

Where we stand — stated plainly

HIPAA

BAA-first

We sign a BAA before accessing data and operate under HIPAA-aligned technical, administrative, and physical safeguards (encryption, audit logging, access controls, minimum-necessary handling).

California CMIA

We comply

We handle medical information in line with California's Confidentiality of Medical Information Act (Civil Code §56 et seq.), which protects medical information alongside HIPAA.

SOC 2 Type II

Planned

We're building toward a SOC 2 Type II audit. We're not claiming it's complete or underway — we'll say so the day it is.

Infrastructure

SOC 2-certified vendors

Built on SOC 2 Type II-certified infrastructure (Vercel, Supabase), with US data residency. We require a BAA, no-AI-training, and no-sale terms from every subprocessor that handles PHI.

Data handling

Minimum necessary

Denial + remittance data only (EOB/835), never full charts; a single note only when a specific appeal requires it.

A full subprocessor list is published at /subprocessors.

Request a BAA — or our security details.

We'll send a Business Associate Agreement and walk through our safeguards before you share anything. BAAs are included at no extra cost.

security@volari.ai

Or get your free denial assessment — no PHI or claim data shared until a BAA is signed →