Book a Demo
HIPAA Compliant BAA Available

Security & Compliance

We handle patient data with the same care you do. Security isn't a feature — it's the foundation.

HIPAA Compliance

Mimic is built from the ground up to meet HIPAA requirements. All patient data is encrypted at rest and in transit. Access controls ensure only authorized personnel can view patient information. We execute a BAA before accessing any patient data.

Business Associate Agreement

We sign a BAA with every customer before we access any patient data. Our BAA includes 10-day breach notification, minimum necessary access standards, and six-year disclosure record retention — exceeding standard industry requirements.

Encryption

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Voice recordings, patient records, and communication logs are stored in encrypted databases with access restricted to authorized services only.

US-Based Infrastructure

All data is processed and stored in US-based data centers. We do not transfer patient data internationally. Our infrastructure is hosted on providers that maintain SOC 2 Type II certifications.

Access Controls

Role-based access controls (RBAC) ensure that team members only access the data they need. All access is logged, monitored, and auditable. We follow the minimum necessary standard across our entire platform.

Data Retention

We retain data only as long as necessary for the services we provide. Upon termination, we retain your data for 60 days so you can export everything in a standard format at no cost. After that, it's securely deleted.

Differentiators

What sets our security apart

Genuine legal commitments from our contracts — not marketing promises.

No AI training on your data

We contractually prohibit using your data to train AI or machine learning models. Most AI vendors don't make this promise.

Mutual indemnification

We indemnify you against IP infringement and gross negligence. Most vendors only require indemnification flowing one way.

Free data export

No data hostage scenarios. Export all your data in a standard, machine-readable format. No fees. No delays.

Month-to-month

30 days notice to cancel. No multi-year lock-in. No penalties.

AI Safety

Honest about AI

We use AI and we're upfront about it. Our AI may occasionally produce inaccurate or unexpected responses.

That's why we built a rigorous testing infrastructure — hundreds of synthetic test calls, multi-dimensional scoring, and continuous monitoring.

And why clinical questions are always routed to your team. Mimic is a receptionist, not a clinician.

Learn about our testing approach

Have security questions?

We're happy to walk through our security practices in detail.

Contact Us