Security · how we handle your data
The boring stuff, done right.
Miaise handles protected health information: your clients' records, your session notes, the data your practice runs on. The category default for practice-management software is to bury the compliance posture in a help-center article and lead with feature lists. We do the opposite. The trust stack is the brand.
Below is what we do today, what we're working toward, and every named subprocessor that touches your data. We add to this page as artifacts land. We don't claim certifications we haven't earned, and we date every change.
Architecture
HIPAA-architected from the first line of code, against the Security Rule NPRM baseline (final rule pending; a 240-day compliance window follows publication). Compliance bolted on after launch tends to leave gaps; we built around it from the start.
- MFA required on every therapist account. TOTP plus device biometric on mobile.
- Encryption at rest on all PHI (Firestore and Cloud Storage).
- TLS 1.3 in transit. No downgrade.
- Least-privilege IAM. Row-level access enforced by Firestore security rules.
- Audit logging on every PHI read and write, with actor, timestamp, and record ID.
Subprocessors with signed BAAs
Any service that touches protected health information sits inside a Business Associate Agreement, the contract that legally binds a vendor to HIPAA. The services below are listed with their exact role and coverage.
| Subprocessor | Role | Coverage |
|---|---|---|
| Google Cloud | Application infrastructure (Firestore, Cloud Storage, Cloud Run, Cloud Functions, Identity Platform, Secret Manager, Cloud Logging) and Vertex AI inference (primary path for Claude Sonnet 4.6 used in SOAP draft generation and contraindication signaling). | Signed under standard Google Cloud BAA. |
| Amazon Web Services | AWS Bedrock (Claude Sonnet 4.6 inference, contingency path), AWS Transcribe Medical (voice transcription), AWS Polly Generative (pre-session briefing audio), and AWS Textract (receipt OCR for the Supplies module). | Signed under standard AWS BAA. |
| Anthropic | Provider of the Claude Sonnet 4.6 model used through Vertex AI and Bedrock. No direct production-inference relationship with Miaise; the model runs under the Google Cloud and AWS BAAs that govern each path. | Indirect, covered by Google Cloud and AWS BAAs respectively. |
| Telnyx | SMS delivery on a US toll-free number, used for transactional intake-form links, booking confirmations, and safety-feature pings. Operates as a conduit carrier under 45 CFR 164.504(e); Miaise enforces strict SMS body-redaction so message bodies carry only tokenized links and operational metadata, not PHI. | Conduit carrier (no BAA required) with body-redaction discipline as the load-bearing customer-side control. See /sms-consent for the consent capture model. |
| Resend | Transactional email delivery (email verification, password reset, billing notices, booking confirmations, waitlist email) and the SMTP relay for Identity Platform account-state notifications, so all account email originates from a miaise.com sender domain with proper SPF/DKIM alignment. | Conduit-style email delivery for operational subject matter only; not in BAA scope. |
| Mapbox | Server-side reverse geocoding for mileage trip endpoints and map-tile rendering on the mobile map view. PHI-suppression gate prevents known client addresses from being transmitted; only the addresses of unknown destinations are geocoded. | Mapbox Temporary terms (no long-term cache). HIPAA posture confirmed at procurement. Not in BAA scope; no PHI transmitted. |
| Stripe | Subscription billing under HIPAA’s payment-processing exemption, and Stripe Connect Express for marketplace processing of booking-page payments. PHI is architecturally fenced out of all Stripe data fields by a typed schema gate. | Payment-processing exemption; no BAA. No PHI transmitted. |
| Plaid | Optional bank-account aggregation for therapist business-expense import. The therapist enters financial-institution credentials directly into Plaid Link; Miaise never sees or stores those credentials. Returned data is business financial data under the Gramm-Leach-Bliley Act, not PHI. | GLBA framework, not HIPAA. Not in BAA scope. |
| Expo / Apple / Google push | Push notification delivery to the mobile app. Notification payloads are operational and do not include PHI. | Not in BAA scope; payloads do not include PHI. |
Stripe is in our stack as the payment processor under HIPAA's payment-processing exemption. PHI never enters Stripe data fields. We enforce that with a typed schema gate on every Stripe call.
What we have today
- BAAs executed with Google Cloud and AWS.
- Asset inventory of services, data flows, and PHI locations.
- Written incident-response and 72-hour breach-notification procedure.
- Documented data retention aligned with state record-keeping law.
- Self-hosted error reporting on Cloud Run, under the GCP BAA.
- Dependabot and weekly dependency review on a vulnerability sweep cadence.
What we're working toward
We don't claim a SOC 2 or HITRUST report we haven't earned. Our compliance roadmap, in order:
- Q3 2026First independent pentest, scoped to closed-beta surface.
- Q4 2026SOC 2 Type 1 readiness assessment.
- H1 2027SOC 2 Type 1 report.
- Late 2027SOC 2 Type 2 observation window opens.
Dates are targets, not commitments. We'll update this page when artifacts land.
Practitioner obligations
Miaise is built for licensed practitioners. Massage therapists, estheticians, athletic trainers, manual therapists, and other licensed professionals in adjacent disciplines. Where you are a Covered Entity under HIPAA (typically because you transmit health information electronically in a HIPAA-covered transaction), the Business Associate Agreement we sign at onboarding governs the statutory relationship. Where you are not strictly a Covered Entity (for example, many cash-only practices, esthetic-only practices, or athletic-training practices that don't bill insurance), Miaise voluntarily applies Business Associate-equivalent protections to your client records as a matter of contract under BAA § 1.A. Either way, your obligations apply to your own devices, password hygiene, MFA, and how you handle client data outside Miaise. You sign a parallel notice or agreement with your clients where applicable law requires.
Reporting a vulnerability
Found a security issue in Miaise? Email security@miaise.com. We respond within two business days. We don't have a paid bounty program yet; we do credit researchers who report responsibly.
Questions
For BAA copies, security questionnaires, or data-handling specifics, reach security@miaise.com. For everything else, try hello@miaise.com.
Last updated: May 18, 2026.