Security you can verify. Privacy patients can trust.
MednBot is built for regulated healthcare environments from the ground up. This page is the single, authoritative source for our security architecture, privacy practices, sub-processors, and compliance roadmap.
Last updated June 2026 · Reviewed quarterly
Administrative, physical, and technical safeguards in place. BAAs available.
Type I readiness underway. Type I report targeted H2 2026; Type II report H1 2027.
All customer data is stored and processed in U.S. AWS regions.
All data encrypted at rest and in transit. Keys managed via AWS KMS.
Every query is scoped to a single customer tenant; cross-tenant access is denied by design.
First external penetration test scheduled to complete H2 2026; annual cadence thereafter.
Anchored in HIPAA. Formalizing against SOC 2.
HIPAA
MednBot operates as a HIPAA Business Associate. We maintain administrative, physical, and technical safeguards consistent with 45 CFR Parts 160 and 164, including the Security Rule, Privacy Rule, and Breach Notification Rule. Business Associate Agreements are available to every customer at no charge.
SOC 2 (in progress)
Readiness against the Security, Availability, and Confidentiality Trust Services Criteria is underway with our compliance automation partner. We are targeting a Type I attestation in H2 2026 and a Type II report in H1 2027.
State Privacy Law
Where state-level privacy obligations (e.g., CCPA/CPRA, Texas HB 300, Washington My Health My Data) impose requirements beyond HIPAA, we honor them as they apply to the data we process for customers in those jurisdictions.
Roadmap
Our compliance roadmap includes annual independent penetration testing, SOC 2 Type II renewal, and HITRUST evaluation as enterprise demand warrants. Confirmed timelines are shared under NDA on request.
Encrypted, isolated, and recoverable.
Encryption at Rest
All customer data, including protected health information and uploaded media, is encrypted at rest with AES-256. Encryption keys are managed through AWS Key Management Service with audited key access.
Encryption in Transit
All connections between clients and MednBot, and between MednBot and its sub-processors, are protected using TLS 1.2 or higher with modern cipher suites. HTTP traffic is redirected to HTTPS at the application edge.
Backups & Recovery
The primary database is backed up automatically with point-in-time recovery enabled. Object storage is versioned. Recovery procedures are documented; recovery objectives are shared under NDA on request.
Retention & Deletion
Customer data is retained for the lifetime of the customer relationship and any contractually agreed retention window thereafter. On verified customer request, data is purged using documented procedures that traverse all related records in referentially safe order.
Who we work with, and why.
MednBot engages the following third-party service providers to support delivery of the platform. Business Associate Agreements are in place where the sub-processor may process protected health information. The list is updated as relationships change.
| Sub-processor | Purpose | Data Category | Region |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure, object storage, transactional email, SMS/voice notifications, monitoring | Application data, PHI | United States |
| Neon | Managed PostgreSQL database hosting | Application data, PHI | United States |
| Stripe | Payment processing and subscription billing | Billing data (no PHI) | United States |
| xAI | Large language model inference for clinical assistant features | Conversation content (may contain PHI) | United States |
| D-ID | Generative video avatar rendering | Doctor likeness, voice, prompt content | United States / Vendor-managed |
| Claim.MD | Insurance eligibility, claim submission, ERA processing | Claims data, PHI | United States |
Customers may subscribe to be notified of material changes to this list. To subscribe, contact compliance@mednbot.com.
We process data for you, not on you.
MednBot processes personal information and protected health information on behalf of our customers, who are the data controllers. We do not sell personal information. We do not use protected health information to train third-party, general-purpose AI models. Customers remain responsible for issuing Notices of Privacy Practices to their patients consistent with HIPAA. See our Privacy Policy for how MednBot processes information across the platform.
Detect, contain, notify.
MednBot maintains a documented incident response program covering detection, containment, eradication, recovery, and post-incident review. In the event of a confirmed security incident affecting customer data, MednBot will notify affected customers without unreasonable delay and in accordance with applicable Business Associate Agreement obligations and the HIPAA Breach Notification Rule.
Report a suspected security issue at any time by emailing security@mednbot.com. We acknowledge credible reports within one business day.
Good-faith research is welcome.
If you believe you have discovered a vulnerability in any MednBot product, please report it to security@mednbot.com. Provide enough detail to reproduce the issue, and please do not access data that does not belong to you, degrade service for others, or disclose the issue publicly before we have had a reasonable opportunity to remediate. We credit researchers who request it once the report is resolved.
Need our full security package?
Enterprise buyers can request our security overview, sub-processor change log, sample Business Associate Agreement, HIPAA risk assessment summary, and current SOC 2 status memo. Materials are shared under a mutual NDA.