Security at EHR Copilot
Protecting your clinical data is our highest priority. Here is how we keep your information safe at every layer.
Last updated: May 17, 2026
Encryption at Rest
All data is encrypted using AES-256. Database backups are also encrypted before storage.
Encryption in Transit
All connections use TLS 1.3. We enforce HTTPS across all endpoints with HSTS headers.
HIPAA Safeguards
Administrative, physical, and technical safeguards per HIPAA §164.312. BAAs available on request.
Access Controls
Role-based access control (RBAC). Clinicians can only access their own session data.
Audit Logs
Comprehensive audit trails for all data access and modification events. Retained 90 days (Team plan).
Infrastructure
Hosted on Vercel (SOC 2 Type II) and Google Cloud (ISO 27001, SOC 2). No single point of failure.
AI Data Isolation
Clinical content sent to AI APIs uses zero-data-retention endpoints. We never train on your data.
Incident Response
We maintain an incident response plan. Affected users are notified within 72 hours of a confirmed breach.
Vulnerability Disclosure
We take security reports seriously. If you discover a vulnerability, please disclose it responsibly by emailing security@ehr.life. Do not publicly disclose the issue until we have had the opportunity to address it. We aim to acknowledge reports within 24 hours and resolve critical issues within 7 days.
Payment Security
All payments are processed by Razorpay (PCI-DSS Level 1 compliant). We never store card numbers, CVVs, or UPI PINs. Payment data is tokenized and handled entirely by Razorpay's secure infrastructure.
Penetration Testing
We conduct periodic security assessments and penetration tests. Results are reviewed by our engineering team and critical findings are remediated before each major release.
Report a Security Issue
Email security@ehr.life with details of the vulnerability. We will respond within 24 hours. Please include steps to reproduce, potential impact, and any supporting evidence.