YMSL Automations
Trust & Security
Built to protect patient data from the first line of code.
The agreements, controls, and design choices behind every tool we build.
Last updated June 2026
Principles
Human review
A person reviews AI output before it's used — nothing is finalized automatically.
Minimum necessary
We process only the data a task needs — nothing more.
Your boundary
PHI is processed and stored in a HIPAA-eligible US cloud.
No AI training
Your data is never used to train or improve any AI model.
Compliance
BAA
Signed with every practice before any real patient data is processed.
Subprocessors
Every vendor that handles PHI operates under a BAA.
HIPAA
Built to the HIPAA Privacy & Security Rules.
SOC 2
On our roadmap. Happy to walk your team through controls today.
Security
Encryption
TLS in transit, AES-256 at rest.
Tenant isolation
Each practice's data is logically separated.
Least privilege
Scoped IAM access; secrets in a managed vault, never in code.
Audit logging
Access to PHI is logged.
US residency
Stored and processed in US cloud regions.
Data handling
What we process
Only the data a task needs.
De-identification
Identifiers are minimized or removed wherever a task allows.
Retention
Only as long as needed, per your direction and the BAA.
Deletion & export
On request, any time; returned or destroyed on termination.
Subprocessors
| Vendor | Purpose | BAA |
|---|---|---|
| Amazon Web Services | Hosting & storage (US) | Yes |
| Anthropic | AI processing | Yes |
| Neon | Database | Yes |
FAQ
Do you sign a BAA?
Yes — with every practice, before any real patient data is processed.
What data does the AI see?
Only the minimum needed for the task. Identifiers are minimized or removed wherever possible.
Is our data used to train AI?
No, never.
Can a tool act on its own?
No. A person reviews AI output before it's used.
Can we get our data back or deleted?
Yes, any time.
Questions from your compliance team?
We'll share documentation or get a BAA to your legal team.
Get in touch