Built around HIPAA — not bolted onto it.

Every customer signs a Business Associate Agreement before applaud touches a single patient record. It covers:

• Permitted uses and disclosures of PHI — limited strictly to running review outreach on your behalf.
• Required safeguards — administrative, physical, and technical.
• Subcontractor obligations — every subprocessor that touches PHI signs a downstream BAA.
• Breach notification — within 60 days of discovery, with detail.
• Termination — return or destruction of PHI on request.

You can request the BAA before the demo. We'll send the executable version the same day.

HIPAA's minimum-necessary standard is the spine of how we built the product. We sync only:

• Patient name (so callers can address the patient).
• Phone and email (so we can reach them).
• Visit date and provider (so the outreach references the right encounter).

We do not sync diagnoses, notes, vitals, lab results, prescriptions, billing codes, or any other clinical data. Our system rejects payloads containing them.

• TLS 1.2+ in transit, AES-256 at rest.
• Least-privilege access controls. No production engineer has standing access to identified patient data.
• Audit logs for every read and write, retained for the contractual term plus seven years.
• Annual penetration testing.
• SOC 2 Type II in motion.

SMS outreach goes only to patients with consent on file. Opt-outs (replies of STOP, UNSUBSCRIBE, or equivalent) are honored instantly and propagate across SMS, email, and call channels within minutes.

Patients can also request deletion of their information at any time by emailing privacy@applaud.you.

• Scripts and templates never mention diagnoses, procedures, or specific reasons for visit.
• Callers are trained never to confirm clinical information, even if a patient initiates.
• Voicemails leave a generic courtesy message — no identifying clinical context.
• SMS templates are pre-approved and version-controlled.

We use a small, audited set of subprocessors (cloud hosting, telephony, email delivery, audit-log storage). Each one is bound by a HIPAA-compliant BAA. The current subprocessor list is available to customers under NDA and is updated within 30 days of any change.

In the unlikely event of a confirmed security incident affecting PHI:

• You are notified within 60 days of discovery (we aim for within 72 hours).
• You receive a written report including affected patients, scope, root cause, and remediation.
• We assist with any patient notification or reporting obligations on your side.

Compliance, legal, IT security questionnaires, security review calls — send them to compliance@applaud.you. We respond within two business days.