Skip to main content
VisitConfirmed
Get Started

Security & Trust

Last Updated: June 11, 2026

Visit Confirmed handles Protected Health Information (“PHI”) on behalf of healthcare practices. Protecting that data is foundational to our product. This page summarizes our security program.

Healthcare organizations and partners evaluating Visit Confirmed may use this page as a starting point for security and compliance reviews. Additional documentation is available on request (see Documentation for Security Reviews).

HIPAA & Business Associate Agreements

Visit Confirmed operates as a Business Associate under HIPAA when handling PHI on behalf of healthcare Customers.

  • We enter into Business Associate Agreements (BAAs) with our Customers.
  • We maintain BAAs with subprocessors that create, receive, or store PHI on our behalf.
  • We apply administrative, technical, and physical safeguards aligned with the HIPAA Security Rule.
  • We limit access to PHI to authorized workforce members.

Hosting & Infrastructure

Our services run on Google Cloud Platform (GCP) in the United States, under a signed BAA covering the GCP services we use (compute, database, secret management, logging, and task queues). We operate no on-premises servers that hold PHI; physical and environmental safeguards are inherited from GCP. The production database has automated, encrypted backups with point-in-time recovery.

Encryption

  • In transit: all external connections are encrypted with TLS, with HTTP Strict Transport Security (HSTS) enforced in production.
  • At rest: data is encrypted at rest with AES-256, managed by our cloud provider, across our database, secret store, and object storage.

Access Controls

  • Access to production systems is restricted to authorized workforce members on a least-privilege basis.
  • Multi-factor authentication is enforced for administrative access.
  • Strong password requirements are enforced, including a minimum length and rejection of common passwords and passwords found in known data breaches.
  • Application secrets and credentials are stored in a managed secret store, never in source code.
  • Authenticated sessions use secure, HTTPS-only cookies and expire after a period of inactivity.

Workforce & Endpoint Security

  • Workforce members complete background screening, including healthcare sanctions and exclusions screening, before being granted access to PHI.
  • Workforce members complete HIPAA privacy and security awareness training before accessing PHI and at least annually thereafter.
  • Workforce endpoints use full-disk encryption and endpoint malware protection.

Data Handling & Minimization

  • We do not sell patient data, and we do not use PHI to train public AI models.
  • Each practice is provisioned with its own dedicated messaging number; phone numbers are never shared across practices.
  • We do not record or retain patient call audio; voice interactions are handled in real time, and only a text transcript is stored.
  • PHI never enters our source code or continuous-integration systems.
  • Customer data is logically separated at the application layer, scoped per organization.
  • Operational data is retained only as long as needed to provide the Service; PHI is returned or destroyed on contract termination in accordance with the BAA. Our data-retention policy is available on request.

Subprocessors

We use a limited set of vetted subprocessors to deliver the Services, including cloud hosting, telephony, email delivery, AI model providers, and error monitoring. We maintain BAAs with subprocessors that store or process PHI on our behalf. A current subprocessor list is available on request.

AI & Model Providers

Our AI features use established foundation models accessed only through HIPAA-eligible enterprise APIs under Business Associate Agreement or covered-services terms. We do not use consumer AI products to process patient data, we do not host or fine-tune our own models, and we do not use customer or patient data to train any model. A current list of AI subprocessors is available on request.

Secure Development

  • Source code is hosted in a private repository with required review before changes are merged.
  • Automated linting, type checking, and tests gate every change.
  • Dependencies are pinned to exact versions and monitored for known vulnerabilities; new releases are held for a cooldown period before they can be installed, as a supply-chain safeguard.

Monitoring & Incident Response

We maintain application and security logging and error monitoring. We have an incident response process for detecting, investigating, containing, and, where required, notifying Customers of security incidents in accordance with our BAAs and applicable law.

Customer Responsibilities

Security is a shared responsibility. Customers (the covered entities) are responsible for: obtaining and managing patient consent for SMS, voice, and email communications; safeguarding the API credentials issued to them; and managing access to their own EHR and systems.

Documentation for Security Reviews

Visit Confirmed maintains documentation to support customer and partner security reviews. The following materials are available on request, under NDA or applicable confidentiality terms:

  • Written Information Security Program (WISP)
  • Subprocessor list
  • Incident response policy
  • Data retention policy

We are happy to complete customer and partner security questionnaires and provide additional documentation as part of a vendor review.

Reporting a Security Issue

If you believe you have found a security vulnerability, please contact us at security@visitconfirmed.com. We acknowledge reports and remediate verified issues on a risk-prioritized basis.

Contact

Security: security@visitconfirmed.com
Privacy: privacy@visitconfirmed.com