Trust & security
You can see inside
“Glass Box” means you can see inside. The platform is built on Microsoft Azure, a HIPAA-eligible enterprise cloud, and is designed from the ground up for regulated professional work. Below is how we protect your data — and every vendor that touches it.
Security posture
How your data is protected
Built on Microsoft Azure
The platform runs on Microsoft Azure, a HIPAA-eligible enterprise cloud. Azure's HIPAA Business Associate Agreement is included in the Microsoft Product Terms, so the services we build on can be operated to support HIPAA-regulated workloads.
Encrypted in transit and at rest
Every byte of your data is encrypted as it moves and while it is stored. Nothing sits in the clear.
Private networking
Regulated data flows over private network paths between platform services rather than the public internet, reducing exposure at every hop.
Secrets in a managed key vault
Encryption keys and credentials live in a managed key vault with controlled, audited access — never embedded in code or configuration.
US data residency
Your regulated data is stored and processed in the United States (West US). It does not leave the region without an explicit, agreed configuration.
Strict tenant isolation
Each organization's data is isolated from every other tenant at the data layer, so one customer can never see another customer's records.
Full audit trail
A tamper-evident, append-only record captures who did what and when — ready for a regulatory inquiry, a discovery request, or an internal review.
Sub-processors
Every vendor that touches your data
We publish the full list of vendors that process data on the platform — an unusual level of transparency for this industry. Each is named with the role it plays, the category of data it is permitted to handle, and where that data lives.
| Provider | Role | Data categories | Data region |
|---|---|---|---|
| Microsoft Azure | Cloud platform — compute, database, storage, key/secret management, and monitoring | Regulated data (HIPAA-eligible, BAA in Microsoft Product Terms) | United States (West US) |
| Anthropic | AI language model inference (Claude) | Regulated data, under a Business Associate Agreement with zero data retention | United States |
| Resend | Transactional email (sign-up, notifications, consent confirmations) | Account metadata only — never document content or PHI | United States |
| Sentry | Error monitoring | Account metadata only — PHI is stripped before any error is recorded | United States |
HIPAA-eligible means a service can be configured and operated to support HIPAA-regulated workloads under a Business Associate Agreement. The Glass Box is designed for and aligned with HIPAA requirements; references to vendors above describe contractual data handling, not certifications. We do not claim any certification on this page.