Security built for healthcare.

Aria handles protected health information for thousands of dental patients every day. Here's exactly how we protect it — and what we expect of every vendor in our chain.

Compliance & certifications

Aria is built to operate as a HIPAA Business Associate of dental practices. We maintain a written compliance posture covering the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, plus HITECH alignment for breach response and electronic transmission of PHI.

HIPAASelf-attested compliance with the Privacy, Security, and Breach Notification Rules. Signed BAA included with every customer contract; available for review prior to signing.
SOC 2 Type IIIn progress. Target completion: Q3 2026. We are not currently SOC 2 Type II certified — we will not claim certification we don't have. Our enterprise cloud, payment, and communications subprocessors hold their own SOC 2 attestations, and we maintain SOC 2-aligned controls in advance of formal audit.
HITECHAligned. Breach notification within the 72-hour internal target / 60-day regulatory ceiling. Audit logging covers all PHI access events.
State data residencyDefault US-only data residency across primary US-East and US-West cloud regions. California, Washington, New York PHI handling requirements honored. EU residency not currently supported.
HITRUST CSFNot pursuing today. Available on request for enterprise DSOs that require it; usually addressed via vendor questionnaire alignment.

Encryption

All protected health information is encrypted both at rest and in transit. We do not store PHI in plaintext anywhere in the system — including logs, error monitoring, and analytics pipelines.

🔐

At rest: AES-256-GCM

PHI fields encrypted with AES-256-GCM via authenticated encryption (master key 64-char hex, stored in cloud KMS, never in application code).

🔒

In transit: TLS 1.3

All API traffic, voice streams, and SMS gateway connections require TLS 1.3 minimum. TLS 1.0/1.1 explicitly disabled. HSTS enforced at the edge.

🔑

Key rotation

Default 90-day rotation policy on application-layer encryption keys. Cloud KMS-managed root keys rotated annually with cryptographic envelope re-keying.

🛡️

Phone hash lookups

Patient phone-number lookups use SHA-256 hashing — we don't store decryptable phone numbers in lookup indexes. Original encrypted phone available only when an authorized session decrypts it.

Business Associate Agreement (BAA) process

Every Aria customer signs a BAA before any PHI is transmitted to the platform. Our BAA covers: permitted uses and disclosures, safeguards, reporting of breaches and security incidents, subcontractor flow-down, return/destruction of PHI on termination, and your audit rights as a covered entity.

To request the BAA before you sign, email AriaDental@Velzyx.ai. Standard turnaround is one business day. We will negotiate reasonable customer markups; we will not strip the standard breach-notification or audit-rights clauses.

Subprocessors

Aria uses a small set of vetted subprocessors. Each holds its own BAA with us where PHI may flow, and each holds compliance attestations relevant to its role.

Cloud hostingEnterprise cloud infrastructure across two US regions — primary application + database. SOC 2 Type II, HIPAA-eligible. BAA in place.
Voice runtimeProprietary voice orchestration layer for low-latency speech-to-speech conversation. PHI may flow during active calls. BAA in place with all underlying subprocessors.
Language model inferenceEnterprise BAA-covered language model providers for voice and chat. PHI flows through inference pipelines for active calls and chats only; no training on customer data.
SMS gatewayHIPAA-eligible SMS provider with BAA for delivery of confirmations, reminders, and recall outreach. SOC 2, 10DLC registered.
PaymentsPCI-DSS Level 1 payment processor, HIPAA-eligible for payment metadata. We do not store card numbers; payment instruments are tokenized.
Insurance EDIReal-time X12 270/271 eligibility clearinghouse for dental insurance verification. SOC 2 Type II, HIPAA BAA.
Error monitoringApplication error tracking. PHI scrubbed at the SDK level before transmission; no patient identifiers in error reports. SOC 2 Type II.
AnalyticsGoogle Analytics 4 (de-identified site usage), Microsoft Clarity (session replay with PHI masking), Google Tag Manager. None receive PHI; aggregate marketing telemetry only.

Full subprocessor list with categories, purposes, and data types is available to customers and prospects under NDA — request from AriaDental@Velzyx.ai.

Access controls

Aria operates on the principle of least privilege. Every authenticated session — whether human admin, API client, or background worker — operates with the minimum permissions required for the task.

  • Role-based access control (RBAC) across the admin dashboard. Owner, Manager, Front Desk, Provider, Auditor — each with distinct read/write scopes.
  • Two-factor authentication mandatory for all admin and Aria-internal accounts. TOTP and WebAuthn supported; SMS 2FA deprecated for internal use.
  • API key authorization with per-key scopes and rate limits. Keys rotatable by the practice owner without Aria intervention.
  • JWT session tokens with short TTL and refresh-token rotation.
  • Full audit logging of every data access event, including read-only views of PHI. Logs retained 12 months minimum, available to the practice on request.
  • Privileged access review quarterly. Aria-internal staff who have admin-tier access to customer data is documented, reviewed, and minimized.

Data retention

Default retention policies, configurable per practice within regulatory bounds:

Call audio90 days default. Configurable up to 7 years per practice settings (dental records retention requirement varies by state).
Call transcriptsRetained per practice settings; default mirrors call audio. Stored encrypted, accessible to authorized practice staff only.
Chat transcriptsRetained per practice settings; default 1 year. Encrypted at rest.
Patient profile dataRetained for the active life of the practice contract; on termination, returned to the practice (CSV export) and destroyed within 60 days unless the practice requests extended retention.
Backups30 days rolling, encrypted, geo-redundant. Backups inherit the same retention windows on data restore.
Audit logs12 months minimum. Available on request to the practice within 7 business days.

Breach notification

Aria operates a breach notification protocol aligned with the HIPAA Breach Notification Rule and HITECH:

  • Internal target: 72 hours from detection — preliminary notification to affected practice contacts within 72 hours of confirmed unauthorized access or disclosure of PHI.
  • Regulatory ceiling: 60 days from discovery — formal HIPAA-compliant notification with the standard required content (description of breach, types of PHI involved, steps to mitigate, contact information).
  • Post-incident report — full root cause analysis delivered to affected practices within 30 days of notification.
  • Coordinated regulator engagement — Aria coordinates with the practice on HHS OCR notification and any state attorney general notifications required.
  • NIST Cybersecurity Framework alignment — incident classification and response phases mapped to the NIST CSF Identify/Protect/Detect/Respond/Recover model.

Vulnerability management

Security is a continuous practice, not a checkbox. Aria's vulnerability management program operates across three layers:

  • Quarterly external penetration testing by an independent third party. Findings tracked to closure with documented remediation timelines.
  • Continuous dependency scanning via GitHub Dependabot + npm audit + pip-audit. Critical CVEs patched within 7 days; high within 30; medium within 90.
  • Static code analysis on every pull request — secrets scanning, SAST (semgrep), and CI-blocking on critical findings.
  • Bug bounty / responsible disclosure — researchers can report vulnerabilities to AriaDental@Velzyx.ai. Acknowledgement within 48 hours; severity triage within 5 business days; coordinated disclosure once patched.

Incident response

Aria maintains a written Incident Response Plan covering preparation, detection, containment, eradication, recovery, and post-incident review. Key components:

  • Tabletop exercises twice annually — leadership rehearses likely incident scenarios (subprocessor breach, internal credential compromise, ransomware, malicious insider) and validates response steps.
  • IR playbook — written runbooks for our top dozen incident types, with named on-call owners and escalation paths.
  • Customer communication templates — pre-approved language for breach notification, status updates, and post-incident reports. Communication during an incident is the second-most-important thing after containment; we don't want to be drafting tone in a crisis.
  • Forensics readiness — log retention, immutable audit trails, and tooling that lets us reconstruct event timelines for regulators and affected practices.

Questions?

Security questions, BAA requests, vendor questionnaires, and pen-test findings all route to AriaDental@Velzyx.ai. We respond within one business day.

For privacy-specific questions (data subject requests, opt-outs, marketing data), see our Privacy Policy. For platform-level technical documentation, see Platform.

Talk to us about security

Bring your questionnaire. Our compliance lead will walk through our posture line by line, sign your BAA in the same call if needed.

Schedule a security review →