Trust & Security

Built for the dentists who actually read the BAA.

HIPAA-compliant from day one. Every customer gets a signed Business Associate Agreement before we touch patient data.

  • AWSHosting · BAA on file
  • Twilio HIPAASMS & Voice · BAA on file
  • AWS BedrockLLM · zero data retention
  • Accountable HQHIPAA seal · annual training
Where your data lives

AES-256 at rest. TLS 1.3 in transit. US-only.

Every byte of patient data is encrypted at rest using AWS KMS and in transit over TLS 1.3. We host in AWS US regions (us-east-1 primary, us-west-2 backup) under AWS's signed BAA. Patient identifiers and clinical fields get an extra layer of column-level encryption.

Who can see what

Role-based access. Append-only audit log.

Inside your account: Owner, Office Manager, and Front Desk roles. Inside Thorli: our staff can only access your data if you explicitly grant support access for a defined window. Every read or write is logged in an append-only audit trail you can export anytime.

The BAA

Signed once during onboarding. Covers all eight required elements.

Permitted uses, safeguards, subcontractor flow-down, breach notification within 60 days, return or destroy on termination. Your lawyer can review the sample before you sign.

Request the BAA sample

Vendors

Every vendor that touches your data signs a BAA.

If a tool we use doesn't have a HIPAA BAA, we don't use it.

AWS

AWS · compute, database, file storage, LLM

Bedrock for LLM with Claude Haiku and Sonnet. Zero-data-retention by default. Single BAA covers RDS, S3, ECS, Bedrock.

SMS

Twilio · phone, SMS, voice

HIPAA mode enabled. BAA on file. Every patient SMS goes through this pipeline.

AHQ

Accountable HQ · compliance program

Annual staff training, BAA library, breach-notification runbook. Tracks our internal posture.

SES

Amazon SES · email

HIPAA-eligible under AWS BAA. Used for any patient-touching email. Postmark fallback for non-PHI ops.

Incident response

Same-day notification for material events.

We follow the HIPAA Breach Notification Rule. Affected customers get an alert within 60 days — typically same-day for material events — plus a written report and the steps we've taken. We carry $2M cyber liability insurance.

Certifications & roadmap

Today: HIPAA self-attestation. Year 1: SOC 2 Type I. Year 2: SOC 2 Type II + HITRUST.

SOC 2 Type I (audited by Vanta) ships in Year 1. SOC 2 Type II plus HITRUST CSF — required by DSO procurement — ships in Year 2.

Questions we didn't answer?

Email security@thorli.com.

We respond within one business day. If it's procurement-driven, your lawyer can have the BAA sample in the next email.