HIPAA & Business Associate Agreement
ScriptRelay operates as a Business Associate under HIPAA. When you send patient prescription data through our platform, we receive and process Protected Health Information (PHI) on your behalf as your covered entity. That relationship requires a signed BAA, and we make one available upon request to every customer — no tier gating.
Our PHI handling follows minimum necessary principles:
- Minimum necessary access — we process only the PHI fields required to fulfill the specific workflow (e.g., intake, insurance verification, prior auth)
- Encryption in transit — all data transmitted over TLS 1.2+. TLS 1.3 enforced where supported by the client
- Encryption at rest — database storage encrypted with AES-256 via Neon Postgres (hosted on AWS)
- Audit logging — record-level access events logged for PHI interactions; available on request
- Role-based access — staff access limited to their assigned workflow; no cross-company data access
- BAA available upon request — request via the form below or review the template PDF ↗
Data Ownership
Your data belongs to you. ScriptRelay does not claim ownership of patient records, order history, workflow data, or any other content you create or upload. We are a processor, not a controller.
What this means in practice:
- Export anytime — contact us to receive a full export of your order history and patient records in CSV or JSON format
- Deletion on termination — upon account closure, your PHI is deleted from active systems within 30 days, subject to any legal retention requirements (e.g., 6-year HIPAA record retention minimum)
- No data monetization — we do not sell, license, or analyze your patient data for any purpose other than operating the service you contracted for
- No cross-tenant data use — your data is never used to train models or improve features for other customers without explicit written consent
Infrastructure
ScriptRelay runs on modern, well-operated cloud infrastructure. We are transparent about our providers and their security posture.
| Component | Provider | Details |
|---|---|---|
| Application hosting | Render.com | SOC 2 Type II certified platform; apps run in isolated containers. US-based data centers. |
| Database | Neon (PostgreSQL on AWS) | AES-256 encryption at rest; automated daily backups; point-in-time recovery. Database isolated per account. |
| Encryption in transit | TLS 1.2+ (1.3 preferred) | All connections between client, app, and database are encrypted. No plaintext channels. |
| Backups | Neon automated | Daily automated backups with 7-day retention. Point-in-time recovery available. |
| Disaster recovery | RTO / RPO | Current posture: managed database failover via Neon. Application recovery via Render auto-restart. Formal DR runbook in progress. |
| Network isolation | Row-level security | Multi-tenant database with enforced row-level access controls — your data is isolated from other customers at the query layer. |
Access Controls
Access to patient data and workflows is controlled at both the application and infrastructure layer.
- Role-based permissions — staff accounts scoped to their workflow; admin-only views for sensitive data
- Audit logs — all access to order and patient records is logged with timestamp, user, and action; logs available to account administrators
- MFA — multi-factor authentication for staff accounts. Planned Q3 2026
- SSO (SAML / OIDC) — enterprise SSO integration on roadmap for multi-location customers. Planned H2 2026
- Internal access controls — production database access restricted to named personnel; access reviewed quarterly
AI & PHI Handling
This section matters most for AI-native vendors. Customers need to know: does AI touching my orders mean a third-party model provider is seeing my patients' names and insurance IDs? Here is the honest answer.
PHI in AI prompts: ScriptRelay's AI workflows do process PHI as part of tasks like insurance verification lookups, prior auth drafting, and intake parsing. Patient names, dates of birth, insurance member IDs, and diagnosis codes may be included in prompts sent to model providers. We do not sanitize PHI from prompts unless a customer-specific configuration requires it.
- Model provider BAAs — we operate under BAAs with our AI model providers. These BAAs cover PHI processed in API calls on our Enterprise or Healthcare API tiers. Customer BAA with ScriptRelay flows down to our subprocessors.
- No model training on your data — our agreements with model providers prohibit use of API inputs for model training. Your patient data does not improve anyone else's model.
- Prompt logging — AI prompts containing PHI are not logged to third-party observability tools. Application-layer logs that contain PHI fields are stored in our encrypted database only.
- Data residency — AI API calls are processed in US-based data centers where available. We do not route PHI through providers with EU-only or offshore-only infrastructure.
Compliance Roadmap
We're a pre-revenue company that handles PHI seriously. Below is our honest current state and planned milestones — not aspirational marketing.
| Certification / Control | Status | Target / Notes |
|---|---|---|
| HIPAA BAA execution | Available now | BAA available upon request for all customers |
| Encryption at rest (AES-256) | Live | Enforced at database layer via Neon/AWS |
| Encryption in transit (TLS) | Live | All connections encrypted; TLS 1.3 preferred |
| Audit logging | Live | Record-level access events logged; customer export on request |
| Automated backups | Live | Daily backups with point-in-time recovery via Neon |
| Formal security policies | In progress | Written information security policy, access review cadence, incident response plan — targeting Q3 2026 |
| Penetration testing | Planned | First external pen test targeting Q4 2026 alongside SOC 2 readiness |
| SOC 2 Type I | Planned | Targeting audit initiation Q1 2027. Trust Service Criteria: Security, Availability, Confidentiality. |
| HITRUST CSF | Under consideration | Evaluating need based on enterprise customer requirements in 2027 |
Our honest posture: We are not SOC 2 certified yet. We are not HITRUST certified. We are HIPAA-compliant as a Business Associate and take PHI security seriously. If your procurement requires SOC 2 Type II before signing, contact us — we'll be transparent about timeline and whether we can meet your requirements.
Incident Response
Breach notification commitment: In the event of a security incident involving PHI, we will notify affected customers within 24 hours of confirmed discovery — well ahead of HIPAA's 60-day requirement. Notification includes: what data was affected, how it was accessed, what we're doing to contain it, and your obligations to notify patients.
We operate a coordinated vulnerability disclosure program. If you discover a security vulnerability in ScriptRelay, we ask that you contact us before public disclosure so we can address it.
Security disclosures: Email anthony@scriptrelay.io. We respond to all security reports within 1 business day. For critical vulnerabilities, we target a patch within 48 hours.
Subprocessors
The following third-party vendors may access or process customer data as part of operating the ScriptRelay service. We maintain BAAs or equivalent data processing agreements with subprocessors that handle PHI.
| Vendor | Purpose | Data Accessed | BAA / DPA |
|---|---|---|---|
| Render | Application hosting & compute | Application code; may process encrypted PHI in memory during request handling | DPA in place |
| Neon (AWS) | PostgreSQL database | All stored application data including PHI | DPA in place |
| Postmark | Transactional email | Email addresses; notification content (no PHI in email body) | DPA in place |
| Stripe | Payment processing | Billing information only (no PHI) | DPA in place |
| AI Model Provider(s) | AI workflow processing | PHI included in prompts for intake, prior auth, and insurance verification workflows | In progress |
Request a BAA
Fill this out and Anthony will send you a customized, countersigned BAA within one business day.
Got it. Anthony will reach out within one business day with a customized BAA.
Check your inbox — we sent you a copy of the template to review in the meantime.