Security & Compliance
Xophie is built with healthcare-grade security and privacy controls to protect your practice and patient data.
Our Commitment to Security
Healthcare data security is at the core of everything we do. Xophie implements comprehensive security measures across infrastructure, application, and operational layers to ensure that patient information remains protected at all times.
We understand the unique requirements of healthcare communication and have designed our platform to support HIPAA-aligned workflows with strong data protection, privacy, and security controls.
Security Features
Encryption in Transit and at Rest
Xophie encrypts data in transit using industry-standard TLS protocols and relies on encrypted storage provided by our infrastructure partners. Call recordings, transcripts, and patient information are protected using secure cloud encryption standards.
Access Controls
Role-based access control (RBAC) ensures that users can only access data relevant to their role. Multi-factor authentication (MFA) and strong password requirements protect all accounts.
Audit Logging
Xophie maintains audit logs that track system activity and data access. Logs are protected using access controls and retention policies to provide traceability and accountability for compliance purposes.
Secure Infrastructure
Built on infrastructure providers that maintain SOC 2 Type II compliance (where applicable), including LiveKit, Supabase, Twilio, and AWS. Security monitoring and vulnerability management help ensure ongoing protection.
HIPAA Compliance
HIPAA-Ready Platform
Xophie is designed with healthcare privacy best practices and supports HIPAA-compliant workflows for covered entities and their business associates.
HIPAA Safeguards
- Administrative Safeguards: Security policies, workforce training, access management, and incident response procedures
- Physical Safeguards: Secure data centers with 24/7 monitoring, redundant systems, and disaster recovery capabilities
- Technical Safeguards: Encryption, authentication, access controls, audit logging, and automatic logoff
Business Associate Agreements (BAAs)
Xophie operates on HIPAA-eligible infrastructure and plans to execute Business Associate Agreements with covered entities where required. BAAs specify how Protected Health Information (PHI) is handled, protected, and used in compliance with federal regulations.
Xophie uses HIPAA-eligible subprocessors and will maintain Business Associate Agreements where required for customers handling PHI, ensuring compliance throughout the data processing chain.
Infrastructure & Technology Partners
Xophie leverages industry-leading infrastructure and technology providers, all of which maintain rigorous security standards:
LiveKit
Real-time communication infrastructure for voice AI interactions. SOC 2 Type II certified with strong encryption in transit.
Supabase
Secure database and authentication infrastructure with built-in encryption, backup, and row-level security.
Twilio
Enterprise telephony and SMS platform. HIPAA-eligible with BAA support and comprehensive security controls.
Amazon Web Services (AWS)
Cloud hosting infrastructure with HIPAA eligibility, SOC 2 compliance, and 99.99% uptime SLA.
PostHog
Privacy-focused analytics platform. All analytics data is anonymized and does not contain PHI.
For a complete list of infrastructure providers and data processing details, see our Subprocessors page.
Data Protection Practices
Data Minimization
We collect only the minimum data necessary to provide services and operate effectively.
Data Segregation
Each healthcare practice's data is logically isolated and segregated to prevent cross-access.
Automated Backups
Daily encrypted backups with point-in-time recovery capabilities to prevent data loss.
Secure Deletion
Data is securely deleted using cryptographic erasure when no longer needed or upon request.
Network Security
Firewalls, intrusion detection systems, and DDoS protection secure all network traffic.
Vulnerability Management
Security monitoring, vulnerability scanning, and timely patch management help identify and resolve potential risks.
Operational Security
Team Training & Awareness
All Xophie team members undergo comprehensive security and privacy training, including HIPAA compliance, data handling procedures, and incident response protocols.
Incident Response
We maintain a documented incident response plan to quickly identify, contain, and resolve security incidents. Customers are notified of any breaches in accordance with legal requirements.
Continuous Monitoring
Xophie uses automated monitoring and alerting tools to detect and respond to potential security issues and system events.
Security Assessments
Xophie conducts internal security reviews and plans to engage independent third-party security assessments as the platform scales.
Shared Responsibility Model
Security is a shared responsibility between Xophie, healthcare practices, and infrastructure providers. Each party plays a critical role in maintaining data protection and privacy:
Xophie's Responsibility
Platform-level security controls, access management, secure development practices, and incident response.
Healthcare Practice Responsibility
Operational policies, patient data governance, staff training, consent management, and compliance oversight.
Infrastructure Provider Responsibility
Physical security, network infrastructure, data center operations, and foundational cloud security controls.
Current Compliance Status
Transparency builds trust. Here is Xophie's current compliance status:
| Standard | Status |
|---|---|
| HIPAA-Eligible Infrastructure | Active |
| BAA Availability | Planned |
| SOC 2 Type II Certification | In Progress |
| HITRUST Certification | Planned |
| ISO 27001 Certification | Planned |
Compliance Roadmap
Xophie is committed to continuous improvement in security and compliance. Our roadmap includes:
HIPAA-Aligned Infrastructure (Current)
HIPAA-eligible infrastructure; BAAs planned for covered entities
SOC 2 Type II Certification (In Progress)
Formal SOC 2 Type II audit and certification process underway
HITRUST Certification (Planned)
Healthcare-specific security framework certification for enterprise customers
ISO 27001 Certification (Planned)
International information security management standard
Transparency & Trust
We believe transparency builds trust. Xophie is committed to:
- Clearly communicating our security and privacy practices
- Promptly disclosing security incidents in accordance with legal requirements
- Maintaining open dialogue with customers about security concerns
- Providing detailed documentation and security questionnaires upon request
- Participating in responsible disclosure programs for security researchers
Contact Our Security Team
For security inquiries, compliance questions, or to report a security vulnerability, please contact our security team:
Security Email: [email protected]
Compliance Inquiries: [email protected]
BAAs, DPAs, Security Questionnaires: [email protected]
General Support: [email protected]
We take all security reports seriously and aim to respond to verified security issues within 48 hours.