Trust & Security

Built for healthcare, designed for trust.

Your patient data is protected with enterprise-grade security and full HIPAA compliance.

2,000

Requests/IP rate limit

WAF-enforced DDoS protection

7 years

Data retention

HIPAA-compliant record keeping

35 days

Point-in-time recovery

Database backup window

99.9%

Uptime SLA

AWS infrastructure guarantee

<2s

Latency monitoring

Automated alerting threshold

US Only

Data residency

All data stays in US regions

Infrastructure

Our Security Stack

Defense in depth: multiple layers of security protecting your data at every level.

Edge Protection

AWS WAF with managed rule sets

DDoS mitigation (AWS Shield)

Rate limiting per IP address

XSS & SQL injection blocking

Network Security

Private VPC with isolated subnets

VPC Flow Logs for traffic analysis

Security groups with least-privilege

TLS 1.2+ on all connections

Data Encryption

AES-256 encryption at rest

AWS KMS managed keys with rotation

TLS 1.3 encryption in transit

Encrypted database connections

Access Control

Firebase Authentication with JWT

Role-based access control (RBAC)

Least-privilege IAM policies

Secrets Manager for credentials

Monitoring & Alerts

CloudWatch security alarms

Unauthorized access detection

High error rate monitoring

Real-time alert notifications

Data Resilience

Point-in-time recovery (35 days)

S3 versioning for audio files

Multi-AZ database deployment

Automated backup retention

Data Handling

How We Handle Your Data

Transparency in how we process, store, and protect your healthcare data.

Audio Processing

Audio is encrypted during upload, processed for transcription, and the original file is deleted after processing completes.

Data Storage

All data is stored in encrypted databases within US-based AWS data centers. Data is logically isolated per organization.

Retention Policies

Configurable data retention with a 7-year default to meet healthcare record-keeping requirements. Adjustable per your needs.

Deletion on Request

Request data deletion at any time. All associated data is permanently removed within 30 days of your request.

Data Portability

Export your data in standard formats at any time. Your data belongs to you.

No AI Training on Your Data

We do NOT train AI models on your patient data. Your clinical information is never used to improve our models or shared with third parties.

Your Data, Your Control

We do NOT train AI on your patient data. Your clinical information is used only to provide you with software services, never for model training or shared with third parties.

FAQ

Frequently Asked Questions

Common questions about our security and compliance practices.

Do you train AI on my patient data?

No. We do NOT use your patient data to train our AI models. Your clinical information is used solely to provide you with software services. We do not share your data with third parties for any purpose, including AI training.

Where is my data stored?

All data is stored in US-based AWS data centers. We use private VPCs (Virtual Private Clouds) with network isolation, encryption at rest using AES-256, and encryption in transit using TLS 1.3. Data never leaves US jurisdiction.

How do I get a Business Associate Agreement (BAA)?

Contact us at [email protected] to initiate the BAA process. We provide standard BAAs that comply with HIPAA requirements. The process typically takes 1-2 business days to complete.

What happens if there is a data breach?

In the unlikely event of a breach, we will notify affected parties within 24 hours of discovery, as required by HIPAA. Our incident response team will immediately contain the breach, investigate the cause, and implement remediation measures. We maintain cyber liability insurance and have documented incident response procedures.

Who has access to my data?

Access to patient data is strictly limited to authorized personnel who require it for support purposes, and all access is logged in immutable audit trails. We implement role-based access control (RBAC) and least-privilege principles. No one at Mira Health can access your data without proper authorization and a documented business need.

How long do you retain data?

By default, we retain data for 7 years to comply with healthcare record-keeping requirements. However, retention periods are configurable based on your organizational policies. You can request deletion of your data at any time, and we will permanently remove it within 30 days.

What certifications do you have?

We maintain HIPAA compliance and sign Business Associate Agreements (BAAs) with all customers handling PHI. We conduct regular security assessments and penetration testing. Our infrastructure runs on AWS, which maintains SOC 1/2/3, ISO 27001, and HIPAA certifications.

Can I get a security review or complete a security questionnaire?

Yes. We are happy to participate in security reviews, complete security questionnaires (SIG, CAIQ, custom), and provide documentation of our security practices. Contact us at [email protected] to schedule a security review call.

Status

System Status

All Systems Operational

Web Application

Operational

Voice Agent API

Operational

AI Processing

Operational

Database

Operational

Authentication

Operational

Last updated: Apr 17, 2026, 10:18 PM

Get Started

Have security questions? We have answers.

Our team is here to answer any security or compliance questions. Schedule a call or reach out directly.

Schedule a Security Review [email protected]