HIPAA-aware by design.
We sign Business Associate Agreements (BAAs) with customers that require one. The safeguards below are live in production today. Email legal@inferowl.com to request a BAA or our HIPAA security questionnaire response.
Administrative, physical & technical safeguards
Minimum necessary
InferOwl is built for staffing teams, not clinical operations. We collect the data needed to match candidates to jobs — specialty, licensure, shifts, contact details, conversations. Clinical PHI (treatment records, diagnoses) is out of scope and should not be uploaded.
Tenant isolation
Row-level security at the Postgres layer ensures one customer cannot read another customer’s candidates, calls, or transcripts — even via API misuse.
Access controls
Five role types with column-level RBAC. Admin actions land in the audit log. MFA on owner / manager roles ships Q3 2026.
Encryption
TLS 1.2+ in transit, AES-256 at rest, signed short-lived URLs for transcripts and recordings.
Audit trail
Every access, stage move, transcript creation, and admin action lands in an immutable events table. Exportable for customer-side audits.
Sub-processor due diligence
Plivo, Deepgram, Gemini, Razorpay, and Supabase each operate under a DPA. We track their compliance posture and notify customers of material changes.
Breach response
Documented runbook with named owners, paging policy, and a 24-hour customer-notification commitment for any incident that involves PHI exposure.
Request a BAA or questionnaire.
We respond within one business day with the documents your security team needs.