PHI protection is the product, not a feature.
Jeong is built and operated for HIPAA-covered clinical use on Google Cloud Platform, under a business associate agreement. Below is a summary of how we protect protected health information. Full compliance documentation is available on request.
Controls that protect every note.
Encryption everywhere
AES-256 encryption at rest for databases, storage, and backups. TLS on every connection, browser to backend to storage. Database access is SSL-only.
De-identification before drafting
Identifiers are stripped from transcripts and notes before AI drafting, reducing the PHI exposed to downstream processing.
Least-privilege access
Per-record, owner-scoped PHI access in the application. Least-privilege service accounts, managed secrets, and per-IP rate limiting on the public API.
Multi-factor authentication
TOTP-based MFA is supported and can be required across the workforce, with a server-side enforcement gate.
Audit logging
Cloud Audit Logs on PHI-handling services route to a dedicated log bucket with 6-year retention, reviewed on a defined cadence.
Data retention & disposal
Configurable retention with a scheduled purge job. Uploaded audio auto-deletes on a 24-hour lifecycle; encrypted backups roll off automatically.
A documented HIPAA program behind the app.
We maintain the administrative, physical, and technical safeguards required by the HIPAA Security Rule. The following are maintained and available for review under NDA:
- Information security policy and HIPAA Security Rule safeguards
- Security risk analysis and risk management plan
- Incident response and breach-notification procedures
- Contingency and disaster-recovery planning
- Workforce access management and least-privilege matrix
- Security awareness training and a sanction policy
- A designated Security Official and audit-log review procedure
Infrastructure & sub-processors
Jeong runs on Google Cloud Platform for hosting, storage, database, speech-to-text, and generative AI, in U.S. regions, under a business associate agreement. A current sub-processor list is available on request.
Your BAA comes first
You may not submit PHI until a BAA between your organization and Inyeon LLC is in effect. We execute BAAs before any clinical use. Reach out and we'll get one in place.
Consent is built into the workflow
Recording is subject to federal and state consent laws. Jeong confirms consent before processing, but obtaining the consents required in your jurisdiction remains your responsibility.
Questions about our security posture, sub-processors, or compliance documentation?
Email team@inyeon.dev