HIPAA & Business Associate Agreement
ScriptRelay operates as a Business Associate under HIPAA. When you send patient prescription data through our platform, we receive and process Protected Health Information (PHI) on your behalf as your covered entity. That relationship requires a signed BAA, and we provide one for every customer — no tier gating, no legal review delays.
Our PHI handling follows minimum necessary principles:
- Minimum necessary access — we process only the PHI fields required to fulfill the specific workflow (e.g., intake, insurance verification, prior auth)
- Encryption in transit — all data transmitted over TLS 1.2+. TLS 1.3 enforced where supported by the client
- Encryption at rest — database storage encrypted with AES-256 via Neon Postgres (hosted on AWS)
- Audit logging — record-level access events logged for PHI interactions; available on request
- Role-based access — staff access limited to their assigned workflow; no cross-company data access
- BAA available to all customers — no upsell required. Email anthony@scriptrelay.io to request yours
Founder review needed: Confirm exact TLS version enforced at Render ingress, and whether current BAA template is ready for execution. If BAA is draft-only, update wording to "BAA available upon request — contact us to initiate."
Data Ownership
Your data belongs to you. ScriptRelay does not claim ownership of patient records, order history, workflow data, or any other content you create or upload. We are a processor, not a controller.
What this means in practice:
- Export anytime — contact us to receive a full export of your order history and patient records in CSV or JSON format
- Deletion on termination — upon account closure, your PHI is deleted from active systems within 30 days, subject to any legal retention requirements (e.g., 6-year HIPAA record retention minimum)
- No data monetization — we do not sell, license, or analyze your patient data for any purpose other than operating the service you contracted for
- No cross-tenant data use — your data is never used to train models or improve features for other customers without explicit written consent
Infrastructure
ScriptRelay runs on modern, well-operated cloud infrastructure. We are transparent about our providers and their security posture.
| Component | Provider | Details |
|---|---|---|
| Application hosting | Render.com | SOC 2 Type II certified platform; apps run in isolated containers. US-based data centers. |
| Database | Neon (PostgreSQL on AWS) | AES-256 encryption at rest; automated daily backups; point-in-time recovery. Database isolated per account. |
| Encryption in transit | TLS 1.2+ (1.3 preferred) | All connections between client, app, and database are encrypted. No plaintext channels. |
| Backups | Neon automated | Daily automated backups with 7-day retention. Point-in-time recovery available. |
| Disaster recovery | RTO / RPO | Current posture: managed database failover via Neon. Application recovery via Render auto-restart. Formal DR runbook in progress. |
| Network isolation | Row-level security | Multi-tenant database with enforced row-level access controls — your data is isolated from other customers at the query layer. |
Founder review needed: Confirm Neon backup retention period (7 days stated above — verify). Confirm row-level security is enforced in production queries or adjust wording to reflect actual isolation mechanism. Confirm Render data center region.
Access Controls
Access to patient data and workflows is controlled at both the application and infrastructure layer.
- Role-based permissions — staff accounts scoped to their workflow; admin-only views for sensitive data
- Audit logs — all access to order and patient records is logged with timestamp, user, and action; logs available to account administrators
- MFA — multi-factor authentication available for all staff accounts. Available now
- SSO (SAML / OIDC) — enterprise SSO integration on roadmap for multi-location customers. Planned H2 2026
- Internal access controls — production database access restricted to named personnel; access reviewed quarterly
Founder review needed: Confirm MFA is implemented and available to customers today. If not yet live, move to "Planned Q3 2026" status. Confirm audit log availability to customer admins.
AI & PHI Handling
This section matters most for AI-native vendors. Customers need to know: does AI touching my orders mean a third-party model provider is seeing my patients' names and insurance IDs? Here is the honest answer.
PHI in AI prompts: ScriptRelay's AI workflows do process PHI as part of tasks like insurance verification lookups, prior auth drafting, and intake parsing. Patient names, dates of birth, insurance member IDs, and diagnosis codes may be included in prompts sent to model providers. We do not sanitize PHI from prompts unless a customer-specific configuration requires it.
- Model provider BAAs — we operate under BAAs with our AI model providers. These BAAs cover PHI processed in API calls on our Enterprise or Healthcare API tiers. Customer BAA with ScriptRelay flows down to our subprocessors.
- No model training on your data — our agreements with model providers prohibit use of API inputs for model training. Your patient data does not improve anyone else's model.
- Prompt logging — AI prompts containing PHI are not logged to third-party observability tools. Application-layer logs that contain PHI fields are stored in our encrypted database only.
- Data residency — AI API calls are processed in US-based data centers where available. We do not route PHI through providers with EU-only or offshore-only infrastructure.
Founder review needed (critical): Confirm which model provider(s) are in use and whether BAAs are actually executed with each. If BAAs are not yet in place, this section must be revised — do not publish as-is. Also confirm whether prompts are currently logged to any external observability service (Datadog, etc.) and whether PHI fields are included.
Compliance Roadmap
We're a pre-revenue company that handles PHI seriously. Below is our honest current state and planned milestones — not aspirational marketing.
| Certification / Control | Status | Target / Notes |
|---|---|---|
| HIPAA BAA execution | Available now | BAA available for all customers at no extra charge |
| Encryption at rest (AES-256) | Live | Enforced at database layer via Neon/AWS |
| Encryption in transit (TLS) | Live | All connections encrypted; TLS 1.3 preferred |
| Audit logging | Live | Record-level access events logged; customer export on request |
| Automated backups | Live | Daily backups with point-in-time recovery via Neon |
| Formal security policies | In progress | Written information security policy, access review cadence, incident response plan — targeting Q3 2026 |
| Penetration testing | Planned | First external pen test targeting Q4 2026 alongside SOC 2 readiness |
| SOC 2 Type I | Planned | Targeting audit initiation Q1 2027. Trust Service Criteria: Security, Availability, Confidentiality. |
| HITRUST CSF | Under consideration | Evaluating need based on enterprise customer requirements in 2027 |
Our honest posture: We are not SOC 2 certified yet. We are not HITRUST certified. We are HIPAA-compliant as a Business Associate and take PHI security seriously. If your procurement requires SOC 2 Type II before signing, contact us — we'll be transparent about timeline and whether we can meet your requirements.
Incident Response
Breach notification commitment: In the event of a security incident involving PHI, we will notify affected customers within 24 hours of confirmed discovery — well ahead of HIPAA's 60-day requirement. Notification includes: what data was affected, how it was accessed, what we're doing to contain it, and your obligations to notify patients.
We operate a coordinated vulnerability disclosure program. If you discover a security vulnerability in ScriptRelay, we ask that you contact us before public disclosure so we can address it.
Security disclosures: Email anthony@scriptrelay.io. We respond to all security reports within 1 business day. For critical vulnerabilities, we target a patch within 48 hours.
Founder review needed: Confirm anthony@scriptrelay.io is a live, monitored inbox. If not, replace with your direct email (anthony@scriptrelay.io or similar) until the alias is set up.
Subprocessors
The following third-party vendors may access or process customer data as part of operating the ScriptRelay service. We maintain BAAs or equivalent data processing agreements with subprocessors that handle PHI.
| Vendor | Purpose | Data Accessed | BAA / DPA |
|---|---|---|---|
| Render | Application hosting & compute | Application code; may process encrypted PHI in memory during request handling | DPA in place |
| Neon (AWS) | PostgreSQL database | All stored application data including PHI | DPA in place |
| Postmark | Transactional email | Email addresses; notification content (no PHI in email body) | DPA in place |
| Stripe | Payment processing | Billing information only (no PHI) | DPA in place |
| AI Model Provider(s) | AI workflow processing | PHI included in prompts for intake, prior auth, and insurance verification workflows | See founder note |
Founder review needed: Replace "AI Model Provider(s)" with actual provider names (e.g., Anthropic, OpenAI). Update BAA status column with accurate information. Add any subprocessors that are missing (e.g., Datadog, Cloudflare if used).
Ready to execute your BAA?
Send us an email and we'll have a BAA back to you within one business day. No legal back-and-forth required for our standard agreement.