Mimic is built from the ground up to meet HIPAA requirements. All patient data is encrypted at rest and in transit. Access controls ensure only authorized personnel can view patient information. We maintain comprehensive audit logs of all data access.
We sign a Business Associate Agreement (BAA) with every customer. This is a legal requirement for any vendor handling protected health information (PHI), and we take it seriously. Your BAA is executed before we access any patient data.
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Voice recordings, patient records, and communication logs are stored in encrypted databases with access restricted to authorized services only.
All data is processed and stored in US-based data centers. We do not transfer patient data internationally. Our infrastructure providers maintain SOC 2 Type II and HITRUST certifications.
Role-based access controls (RBAC) ensure that team members only access the data they need. All access is logged, monitored, and auditable. We follow the principle of least privilege across our entire platform.
We retain data only as long as necessary for the services we provide. When you leave Mimic, we securely delete all your data within 30 days. You can request a data export at any time.