Security and Privacy
MAIA processes protected health information only under a signed Business Associate Agreement with the covered entity. All PHI is encrypted in transit with TLS 1.2 or higher and encrypted at rest. Processing infrastructure is located in the United States. Patient data is never used to train foundation models or shared with third-party AI providers for training. Access is role-restricted and audit-logged. SOC 2 Type II audit is in progress. For covered entities that require additional controls, MAIA supports customer-managed encryption keys, configurable data-retention windows, and a right-to-be-forgotten workflow.
| Area | Posture |
|---|---|
| HIPAA | BAA available for all covered entities; see /baa |
| Encryption in transit | TLS 1.2 or higher on all endpoints |
| Encryption at rest | AES-256 for stored PHI and backups |
| Data residency | United States only |
| Model training | PHI is not used to train any foundation model |
| Access control | Role-based, least privilege, immutable audit log |
| Authentication | SSO (SAML/OIDC) available; MFA required for staff |
| Retention | Configurable per practice; default minimum for regulatory compliance |
| Breach notification | Per BAA, within 60 days of discovery (most cases within days) |
| Third-party processors | Each covered by a downstream BAA where PHI is involved |
| SOC 2 | Type II audit in progress; interim attestation on request |
MAIA is built HIPAA-aware and enters into a Business Associate Agreement (BAA) with every covered entity before any PHI is processed. The BAA template is available for review.
All PHI is processed on US-based infrastructure. No data is transferred outside the United States. Storage is encrypted at rest using industry-standard algorithms; connections are encrypted in transit with TLS 1.2 or higher.
No. Patient PHI is used solely to deliver the services the practice has requested. It is not used to train foundation models, not shared with third-party model providers for training, and not sold or licensed.
SOC 2 Type II audit is in progress. Interim attestation documents and our security-control inventory are available under NDA on request.
Access is role-restricted and logged. Support and engineering staff reach customer data only when responding to an authorized request. All access events are recorded in an immutable audit log available to the practice on request.
Contact us for a copy of the BAA, the SOC 2 interim attestation, and the control inventory spreadsheet.
Request security documents