DentFlow Dentflow ← Back to DentFlow

Trust

HIPAA & Security

DentFlow handles the most sensitive thing a practice has: patient information. So we didn't bolt compliance on at the end — DentFlow was built HIPAA-compliant from day one. Here's exactly what that means.

BAA included

Every practice — pilot included — gets a Business Associate Agreement. We operate as your business associate under HIPAA, with the obligations that come with it.

PHI never leaves our cloud

Patient information lives inside our secured AWS environment in the United States and doesn't go to outside services. The AI runs on AWS Bedrock, inside that same boundary — never the public OpenAI or Anthropic APIs.

Encrypted everywhere

All data is encrypted in transit and at rest. Secrets and credentials are managed in dedicated secure infrastructure, not in code.

Practices are walled off

Every practice's data is isolated at the database level — separation is enforced by the database itself, not just by application code.

Everything is audit-logged

Every data access, every change, every AI action is recorded — who, what, and when. HIPAA requires it; your practice benefits from it.

Recordings auto-delete

Voice recordings are kept only for a limited window after a visit is finalized — 30 days by default, configurable — then deleted automatically.

Humans approve everything

DentFlow drafts; your team signs off. No note is filed, no code is billed, and nothing syncs to your PMS without a person approving it.

No PHI in email

Notifications to your team are alerts, not records — they never contain patient details.

If something ever goes wrong

We maintain an incident response process and will notify affected practices of any breach of unsecured PHI as required by HIPAA's Breach Notification Rule — promptly, and with what you need to meet your own obligations.

Questions or concerns

Security questions, vulnerability reports, or anything that doesn't look right: info@gtron.ai. We read everything and respond quickly.

For how we handle personal information more broadly — including cookies and data deletion — see our Privacy Policy.