Patient trust is the whole product.
CarePilot is SOC 2 Type II audited and HIPAA compliant. PHI never trains our models, never leaves the United States, and never sits in an audio file longer than 24 hours.
SOC 2 Type II 
HIPAA Six commitments.
Each one is policy, not aspiration: written down, monitored in Drata, and checked by auditors who don't work for us.
Encrypted everywhere
AES-256 at rest via AWS Key Management Service: databases, object storage, backups. TLS 1.2+ on every connection in transit.
Your data stays in the U.S.
PHI is processed and stored exclusively in the United States, on AWS US-East-1. It doesn't cross a border to be useful.
PHI never trains AI models
Not ours, not anyone's. BAAs are in place with every model provider, and providers retain nothing.
Audio is gone in 24 hours
Visit recordings are never retained beyond 24 hours. Note retention is set by your practice, and complete deletion is yours to request, any time.
BAAs all the way down
A business associate agreement is executed with every customer and every subprocessor that touches PHI, before the first chart is touched.
Continuously monitored
Controls monitored continuously in Drata. 30+ security policies, reviewed annually. Third-party penetration tests every year; automated scans every week.
How the AI handles PHI.
The whole path, station by station, including the one step nothing automated can cross. A clinician approves everything.
Ambient audio from the room. One sentence to the patient, and the visit proceeds.
audio · ≤ 24hSpeech becomes a structured transcript inside the encounter, encrypted in transit and at rest.
encryptedDrafting runs on models under business associate agreements. Nothing retained, nothing trained on.
BAA · no trainingNote, codes, and orders arrive as drafts, in the chart's own fields rather than a parallel database.
discrete fieldsNothing reaches the chart without a clinician's sign-off. No AI output files itself.
human sign-offEvery action is logged: who saw what, what was signed, and when.
loggedThe parts a reviewer checks.
The controls behind the commitments, in the same terms a security questionnaire asks for them.
Sourced from our security knowledge baseCarePilot is SOC 2 Type II audited, most recently by Prescient Assurance, with an expanded audit already planned. An independent third party performs penetration testing annually, automated vulnerability scans run weekly, and risk assessments run at least annually. More than 30 security policies are managed in Drata, monitored continuously, and reviewed every year.
MFA is required for every user, ours and yours. Access follows role-based control with least-privilege defaults and is reviewed at least quarterly; production data access is restricted to engineering leadership. SSO/SAML is supported for practices running a central identity provider.
Daily encrypted backups of every PHI database, tested regularly for recoverability. Documented business continuity and disaster recovery plans, each tested at least annually. 99.9% monthly uptime SLA, with severity-classified escalation.
Every hire passes a background check before access. All employees and contractors complete annual security training covering HIPAA, data handling, phishing, and incident reporting, with completion tracked in Drata. Departing employees lose all access within 24 hours via a formal offboarding checklist.
A formalized incident response plan (identification, containment, eradication, recovery, post-incident review) led by our security officer and tested annually. Affected clients are notified within 24 hours of confirmed discovery; HIPAA-regulated breaches follow the Breach Notification Rule's formal timelines.
Asked by every IT lead.
Ten answers, word for word from the knowledge base we hand to security reviewers.
Yes. CarePilot is fully HIPAA compliant: all data is encrypted in transit and at rest, PHI is processed and stored exclusively in the United States, business associate agreements are executed with every customer and every subprocessor, and PHI is never used to train AI models.
Yes. CarePilot holds a SOC 2 Type II report; the most recent audit was performed by Prescient Assurance. The full report is available under NDA. Request it at privacy@carepilot.com.
All data is processed and stored exclusively in the United States, on AWS US-East-1 (Ashburn, Virginia). It never leaves the country.
No. CarePilot never uses customer PHI to train or improve AI models, and neither do our model providers. Business associate agreements are in place with every provider, and providers retain nothing.
Audio is never retained beyond 24 hours. Note retention is configurable by your practice, and you can request complete deletion at any time.
CarePilot uses OpenAI (via Azure) and Anthropic, under business associate agreements. No customer data is retained by the model providers or used for model training.
Yes to both. MFA is required for every CarePilot user, and SSO/SAML integration is supported for practices that run a central identity provider.
Yes. An independent third party performs penetration testing annually, automated vulnerability scans run weekly, and internal testing accompanies major releases.
CarePilot maintains a tested incident response plan. Affected clients are notified within 24 hours of confirmed discovery, and HIPAA-regulated breaches follow the Breach Notification Rule's formal timelines.
A 99.9% monthly uptime SLA, with severity-classified escalation procedures and daily encrypted backups behind a tested disaster recovery plan.
Ambient AI in an exam room only works if nobody has to think about it twice. That's the bar we build to: nothing in the way, and nothing left exposed.
Ask us the hard questions.
SOC 2 report and security packet on request. A BAA before the first recorded visit.