Built to handle medical records the way medical records should be handled.

1. HIPAA & the Business Associate Agreement

To the extent ProofOps processes Protected Health Information ("PHI") as defined under 45 CFR § 160.103, ProofOps acts as a Business Associate. We sign a Business Associate Agreement ("BAA") with every customer before any PHI is loaded into the system. The BAA covers permitted uses, breach notification within 24 hours of confirmed breach, sub-processor flow-downs, and return or destruction of PHI on termination.

Customers can request the standard ProofOps BAA at support@proofopsmedical.com. Material modifications are reviewed case-by-case.

2. Data classification & what we collect

• Public data — content on our website.
• Account data — customer billing, staff roster, vendor list, license numbers, EMR connection metadata.
• Customer Data — manifests, training certificates, SDS sheets, BAAs, incident logs, audit records.
• PHI — schedule data, GFE records, and any document that includes patient identifiers and clinical information, processed under the BAA.

We collect the minimum necessary for the service. We do not collect, store, or process Social Security numbers, full payment-card numbers (PCI handled by our processor), or government-classified information.

3. Encryption

• In transit: TLS 1.3 enforced on all customer-facing endpoints.
• At rest: AES-256 on application data and document storage. Database backups are encrypted with separate key material.
• Key management: managed-KMS rotation; no plaintext key material on developer machines.
• Email and SMS: messages to staff and customers do not contain PHI by default; clinical detail is delivered behind authenticated links to the customer portal.

4. Access control

• Single sign-on with mandatory multi-factor authentication for ProofOps staff.
• Role-based access; engineering does not have standing access to production customer data. Just-in-time elevation with audit log on every access.
• Customer Account Owners can manage user access in the portal; user activity is logged and exportable.
• Annual access reviews; immediate revocation on staff departure.

5. AI & agent safety

• Customer Data and PHI are not used to train foundation models. We use commercial model providers under enterprise terms with no-train commitments and signed BAAs where required.
• Voice agents calling vendors operate under recorded scripts, with call recordings stored as evidence in the customer's binder.
• Outputs from agents are reviewed against guardrails: no clinical advice, no legal advice, no actions outside the customer's scope.
• Customers can disable any agent at any time from the portal.

6. Audit logging & monitoring

• Tamper-evident audit logs for document uploads, edits, deletions, agent actions, integration connects/disconnects, and user logins.
• Centralized log aggregation with anomaly alerting.
• Customer-visible activity feed in the portal.
• Audit logs retained for at least 6 years to support compliance review and claim investigation.

7. Vulnerability management & pen testing

• Continuous dependency scanning and weekly automated vulnerability scans against production.
• Annual third-party penetration test of the customer-facing surface; high-severity findings remediated before launch.
• Coordinated disclosure: report security issues to support@proofopsmedical.com. We commit to acknowledge within 24 hours.

8. Incident response

We maintain a documented incident-response plan with on-call rotation, severity tiers, customer-notification SLAs, and post-incident reviews. Confirmed breaches involving PHI are notified to affected customers within 24 hours per the BAA.

9. Backups, business continuity, disaster recovery

• Encrypted automated backups, multi-AZ.
• Recovery time objective (RTO): 8 hours for production restoration.
• Recovery point objective (RPO): 1 hour for transactional data; 24 hours for object storage.
• Annual disaster-recovery exercises.

10. Compliance posture

• HIPAA — Privacy and Security Rules controls implemented; BAA available.
• SOC 2 Type II — audit in progress; report available to customers under NDA upon completion.
• GDPR / UK GDPR — Data Processing Addendum available for customers with EEA or UK data subjects.
• State privacy laws — CCPA/CPRA, TDPSA, CTDPA, VCDPA, CPA, UCPA support.

11. Sub-processors

ProofOps relies on a small set of vetted sub-processors to deliver the service. The current list is reviewed quarterly. Notable sub-processors:

• Cloud infrastructure — Amazon Web Services (us-east, us-west). BAA in place.
• Database — Supabase. BAA in place.
• Document storage — AWS S3, encrypted at rest.
• Communications — Twilio (SMS & voice). BAA in place.
• Voice models — ElevenLabs / Vapi. Enterprise terms with no-train commitments.
• Email — Resend or AWS SES. BAA in place where required.
• Analytics — privacy-respecting tool with no cross-site advertising trackers.
• Billing — Stripe (PCI DSS Level 1).
• Error monitoring — Sentry (PHI scrubbing enabled).

We provide at least 30 days' advance notice of any new sub-processor that processes PHI; customers can object and terminate without penalty if a substitute cannot be agreed.

12. Customer responsibilities

• Use unique, strong passwords and enable MFA.
• Promptly remove departed staff from the account.
• Restrict who in the clinic can act on alerts and escalations.
• Do not upload information you have no lawful basis to share with us.
• Report suspected security issues to support@proofopsmedical.com.

13. How to request a security packet

Customers and prospective customers under NDA can request our security questionnaire responses, BAA template, DPA, and SOC 2 status. Email support@proofopsmedical.com.

This page describes ProofOps' security practices in plain English. Customer agreements, the BAA, and the DPA contain the binding obligations.