Sera was built from day one for healthcare. Every call, every transcript, every piece of patient data is protected by enterprise-grade security and full HIPAA compliance.
Our Commitment
We built Sera specifically for healthcare practices that handle sensitive patient information every day. Security, privacy, and compliance are embedded in every layer of our platform — not bolted on as an afterthought.
HIPAA Compliance
Many AI tools claim to be "HIPAA-friendly." Sera is fully HIPAA compliant, covering every requirement across administrative, physical, and technical safeguards. We sign a Business Associate Agreement (BAA) with every client, and our infrastructure is audited annually.
Encryption
Patient data is encrypted at every stage — from the moment a call connects to when your team reviews the summary.
All data moving between callers, our servers, and your dashboard is encrypted with TLS 1.3 — the latest transport-layer security protocol. No exceptions, no fallbacks.
Call recordings, transcripts, and patient data stored in our databases are encrypted with AES-256, the same standard used by banks and government agencies.
AI processing runs in isolated, ephemeral compute environments. Audio data is processed in memory, never written to disk, and the environment is destroyed after each call.
How It Works
From the moment a patient dials your number to when your team gets the summary, every step is secured and audited.
Patient calls your practice number. Call routes through encrypted HIPAA-compliant telephony infrastructure.
TLS 1.3 + SRTPSera's AI processes the call in an isolated ephemeral environment. No data is persisted beyond what's needed.
Ephemeral ComputeStructured call summary is created and encrypted with AES-256 before being stored in our secure database.
AES-256 EncryptedYour team receives a notification through secure, authenticated channels. Dashboard access requires MFA.
MFA + RBACInfrastructure
Our security posture is validated by independent auditors and built on industry-leading cloud infrastructure.
Independently audited for security, availability, processing integrity, confidentiality, and privacy. Our SOC 2 Type II report is available upon request under NDA.
Every piece of data is encrypted using TLS 1.3 in transit and AES-256 at rest. Encryption keys are managed through a dedicated key management service with automatic rotation.
Hosted on HIPAA-eligible cloud infrastructure with geographic redundancy, automated backups, and 99.99% uptime SLA. All data resides in US-based data centers.
Role-based access control (RBAC) ensures team members only see what they need. Every access event, data query, and configuration change is logged with immutable audit trails.
Data Privacy
Transparency is non-negotiable. Here is exactly how we handle your patients' data.
Documentation
We maintain comprehensive documentation to support your compliance requirements. Available documents can be requested from our security team.
| Document | Description | Availability |
|---|---|---|
| Business Associate Agreement (BAA) | HIPAA-required agreement covering PHI handling, signed before any data processing begins. | Included with Every Plan |
| SOC 2 Type II Report | Independent auditor's report covering security, availability, and confidentiality trust service criteria. | Available Under NDA |
| HIPAA Compliance Attestation | Letter of attestation confirming Sera's compliance with HIPAA Privacy, Security, and Breach Notification Rules. | Available on Request |
| Penetration Test Summary | Executive summary of our most recent third-party penetration test results and remediation actions. | Available Under NDA |
| Data Processing Agreement (DPA) | Agreement outlining data processing terms, sub-processors, data transfers, and retention policies. | Available on Request |
| Incident Response Plan | Overview of our security incident detection, response, containment, and notification procedures. | Available Under NDA |
| Subprocessor List | Complete list of third-party subprocessors that may process data on behalf of Sera, with security details. | Available on Request |
FAQ
Common questions from healthcare practices evaluating Sera's security posture.
Yes. Sera is fully HIPAA compliant across all three safeguard categories: administrative, physical, and technical. We sign a Business Associate Agreement (BAA) with every client, conduct annual risk assessments, maintain comprehensive policies and procedures, and undergo independent third-party audits. Our entire infrastructure, from telephony to data storage, is designed to meet or exceed HIPAA requirements.
Yes. A Business Associate Agreement is included with every Sera plan at no additional cost. We execute the BAA before any patient data is processed. We will never handle PHI without a signed BAA in place. You can request a copy of our standard BAA for legal review at any time.
All patient data is stored exclusively in US-based data centers on HIPAA-eligible cloud infrastructure. Data is encrypted at rest using AES-256 encryption. We maintain geographic redundancy for disaster recovery, but all replicas remain within the United States. We never transfer or store patient data outside of the US.
No. We never use patient data, call recordings, transcripts, or any PHI to train, fine-tune, or improve our AI models. Your patients' data is used solely to provide the service you have contracted for — answering calls, generating summaries, and delivering them to your team. This is a contractual commitment in our BAA and DPA.
We maintain a comprehensive incident response plan that follows HIPAA Breach Notification Rule requirements. In the event of a security incident, we will: (1) contain and investigate the incident immediately, (2) notify affected clients within 24 hours of discovery, (3) provide detailed breach reports per HIPAA requirements, (4) work with clients on any required regulatory notifications, and (5) conduct a post-incident review and implement corrective actions.
Sera implements role-based access control (RBAC) at every level. Your team members only see the data relevant to their role. Multi-factor authentication (MFA) is required for all dashboard access. On the Sera side, access to production systems and patient data requires MFA, VPN, and explicit approval from our security team. All access events are logged in immutable audit trails.
Yes. You can request complete deletion of all your practice's data at any time. Upon receiving a written deletion request, we will permanently remove all PHI, call recordings, transcripts, and associated data within 30 days. We will provide written confirmation once the deletion is complete. Backup copies are purged within 90 days per our retention policy.
SOC 2 Type II is an independent audit conducted by a certified third-party firm that evaluates our security controls over a sustained period (typically 6-12 months). Unlike Type I, which only evaluates the design of controls at a point in time, Type II verifies that our controls are operating effectively over time. Our SOC 2 Type II report covers all five trust service criteria: security, availability, processing integrity, confidentiality, and privacy.
Get in Touch
Have questions about our security posture, need compliance documentation, or want a detailed security review? We are here to help.
security@joinsera.us
(347) 653-1170
30-min deep dive
Book a 15-minute demo and hear Sera handle real patient calls through your clinic's workflow.
Or try it now: (347) 653-1170