Security
Security & Compliance
How SOAPNoteAPI protects your data and your patients' data.
HIPAA Compliance
- Business Associate Agreement (BAA) available to all production accounts at no extra cost
- Build and test free with a test key using synthetic data — no BAA needed for non-PHI evaluation
- Before sending real PHI in production, execute a BAA — email support@soapnoteapi.com and our team sets it up
Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption at rest
- API keys hashed with SHA-256, shown once at creation, never stored in plaintext
Data Handling
- Notes auto-expire after configurable retention period
- No PHI in application logs
- No customer data used for model training
- Transcripts and notes are processing artifacts — not stored beyond expiry
Infrastructure
- Hosted on AWS (US regions)
- Redundant architecture
- 99.9% uptime target — see live data on the status page
Authentication & Access Control
- API key authentication for all requests
- Keys scoped per account
- Audit logging for all access events
Contact
Security questions?
If you have security concerns or need to report a vulnerability, reach out to support@soapnoteapi.com.