Compliance & trust
Evidence, controls, and obligations for Brightleaf Dental. Wording is deliberately precise — these are workflows and profiles, not guarantees.
What "HIPAA-mode" means here. This tenant runs on a HIPAA-ready deployment profile: PHI is labeled, access is logged, BAAs are tracked, and risky AI actions require approval. It is a configuration, not a certification. Achieving a compliant posture requires operator-side configuration (access controls, workforce training, BAA chain with downstream vendors). Neither the platform nor this dashboard constitutes legal compliance advice.
Active controls
Encryption at rest (AES-256)
All tenant data encrypted at rest.
Encryption in transit (TLS 1.3)
All API and browser traffic.
HIPAA-mode eligible posture
Under shared responsibility — operator config required to complete posture.
Audit logging (WORM, append-only)
All events immutable; 7-year retention.
Consent capture
Web, SMS, voice — all channels.
PHI handling
HIPAA-mode · access logged · AI never stores raw PHI in conversation logs.
BAA executed
Signed 2025-11-03 · expires 2026-11-03.
DPA on file
DPA v3.1 in effect.
Data residency — US East
No cross-region replication without explicit consent.
Right to erasure (DSAR workflow)
DSAR workflow active · processed within 30 days.
Penetration test (annual)
Next scheduled: 2026-Q3.
SOC 2 Type II (platform)
Report available on request to platform team.