Book a Demo
HIPAA Compliant BAA Available

Security & Compliance

We handle patient data with the same care you do. Security isn't a feature — it's the foundation.

HIPAA Compliance

Mimic is built from the ground up to meet HIPAA requirements. All patient data is encrypted at rest and in transit. Access controls ensure only authorized personnel can view patient information. We execute a BAA before accessing any patient data.

Business Associate Agreement

We sign a BAA with every customer before we access any patient data. Our BAA includes 10-day breach notification, minimum necessary access standards, and six-year disclosure record retention — exceeding standard industry requirements.

Encryption

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Voice recordings, patient records, and communication logs are stored in encrypted databases with access restricted to authorized services only.

US-Based Infrastructure

All data is processed and stored in US-based data centers. We do not transfer patient data internationally. Our infrastructure is hosted on providers that maintain SOC 2 Type II certifications.

Access Controls

Role-based access controls (RBAC) ensure that team members only access the data they need. All access is logged, monitored, and auditable. We follow the minimum necessary standard across our entire platform.

Data Retention

We retain data only as long as necessary for the services we provide. Upon termination, we retain your data for 60 days so you can export everything in a standard format at no cost. After that, it's securely deleted.

Differentiators

What sets our security apart

Concrete protections from our BAA and service agreement — not marketing promises.

No AI training on your data

We contractually prohibit using your data to train AI or machine learning models. Most AI vendors don't make this promise.

10-day breach notification

HIPAA allows up to 60 days to notify you of a breach. Our BAA commits to 10. If something goes wrong, you'll know fast — not two months later.

Data deleted after termination

When you leave, we retain your data for 60 days so you can export everything. After that, it's securely and permanently deleted. Your patient data doesn't linger on our servers.

BAA signed before day one

We execute a Business Associate Agreement with every customer before accessing any patient information. No exceptions, no delays.

AI Safety

Honest about AI

We use AI and we're upfront about it. Our AI may occasionally produce inaccurate or unexpected responses.

That's why we built a rigorous testing infrastructure — hundreds of synthetic test calls, multi-dimensional scoring, and continuous monitoring.

And why clinical questions are always routed to your team. Mimic is a receptionist, not a clinician.

Learn about our testing approach

Have security questions?

We're happy to walk through our security practices in detail.

Contact Us