Skip to main content

HIPAA Compliance

Built for regulated medical practices from day one.

Eva AI handles PHI across voice, SMS, and email. Our compliance program combines encryption, process controls, and continuous monitoring so your patients stay protected and your team stays audit-ready.

Business Associate Agreements

We execute BAAs with Professional and Enterprise customers and flow HIPAA obligations to every sub-processor.

Encryption & Segmentation

PHI is encrypted with AES-256 at rest and TLS 1.2+ in transit. Customer data lives in isolated tenants with unique keys.

Detailed Audit Trails

Every call, transcript access, and export is logged with timestamp, user, and IP—available for compliance reviews.

Administrative Safeguards

  • HIPAA training & background checks for all employees with PHI access
  • Role-based permissions with just-in-time elevation for support engineers
  • Quarterly access reviews and mandatory MFA across the entire platform
  • Documented incident response plan with 24/7 on-call escalation

Technical Safeguards

  • Zero-trust networking with mutual TLS between services
  • Automatic redaction of payment details and other sensitive fields in transcripts
  • Data retention controls configurable per customer (30–365 days)
  • Continuous vulnerability scanning and third-party penetration tests

Physical Safeguards

  • SOC 2 Type II + HIPAA-ready cloud infrastructure (AWS & Supabase)
  • Encrypted, access-controlled backups replicated across regions
  • No PHI stored on employee devices; access allowed through managed browsers only
  • Regular verification of data center compliance certifications