Security overview · pre-launch posture
The boring stuff, done right.
Miaise handles protected health information. Below is what we do today and what we're doing next. We'll add to this page as artifacts land. We won't claim certifications we don't have.
Architecture
HIPAA-architected from the first line of code, against the Security Rule NPRM baseline (final rule expected May 2026, 240-day compliance window). Retrofitting compliance after the fact is a known anti-pattern; we built around it from the start.
- MFA required on every therapist account. TOTP plus device biometric on mobile.
- Encryption at rest on all PHI (Firestore and Cloud Storage).
- TLS 1.3 in transit. No downgrade.
- Least-privilege IAM. Row-level access enforced by Firestore security rules.
- Audit logging on every PHI read and write, with actor, timestamp, and record ID.
Subprocessors with signed BAAs
We use BAA-covered cloud services only. Anything that touches PHI sits inside a Business Associate Agreement.
| Subprocessor | Role | Coverage |
|---|---|---|
| Google Cloud | Application infrastructure: Firestore, Cloud Storage, Cloud Functions, Cloud Run, Identity Platform, Secret Manager, Cloud Logging. | Signed under standard GCP BAA. |
| Amazon Web Services | AI inference (Bedrock, Claude Sonnet 4.6), voice transcription (Transcribe Medical), text-to-speech (Polly Generative), SMS (End User Messaging), email (SES). | Signed under standard AWS BAA. |
| Anthropic (via AWS Bedrock) | Large language model for SOAP draft generation and contraindication evaluation. Operates under the AWS BAA on Bedrock cross-region inference profile. | Covered by AWS BAA. No separate Anthropic relationship. |
| Mapbox | Reverse geocoding for mileage trip endpoints. Server-side only, with PHI-suppression gate (known client addresses are never sent for geocoding). | Mapbox Temporary terms (no long-term cache). HIPAA posture confirmed at procurement. |
| VerifyPass | License credential verification at therapist onboarding. | Data-handling addendum at signup. License data is professional credential data, not PHI. |
Stripe is in our stack as the payment processor under HIPAA's payment-processing exemption. PHI never enters Stripe data fields. We enforce that with a typed schema gate on every Stripe call.
What we have today
- BAAs executed with Google Cloud and AWS.
- Asset inventory of services, data flows, and PHI locations.
- Written incident-response and 72-hour breach-notification procedure.
- Documented data retention aligned with state record-keeping law.
- Self-hosted error reporting on Cloud Run, under the GCP BAA.
- Dependabot and weekly dependency review on a vulnerability sweep cadence.
What we're working toward
Pre-launch. We don't claim a SOC 2 or HITRUST report we haven't earned. Our compliance roadmap, in order:
- Q3 2026First independent pentest, scoped to closed-beta surface.
- Q4 2026SOC 2 Type 1 readiness assessment.
- H1 2027SOC 2 Type 1 report.
- Late 2027SOC 2 Type 2 observation window opens.
Dates are targets, not commitments. We'll update this page when artifacts land.
Therapist obligations
Therapists who use Miaise are Covered Entities (or in some cash-practice cases, technically not). Either way, your obligations apply to your own devices, password hygiene, MFA, and how you handle client data outside Miaise. We sign a BAA with you at onboarding. You sign one with your clients where applicable.
Reporting a vulnerability
If you've found a security issue, email security@miaise.com. We respond within two business days. We don't have a paid bounty program yet; we do credit researchers who report responsibly.
Questions
For BAA copies, security questionnaires, or data-handling specifics, reach security@miaise.com. For everything else, try hello@miaise.com.
Last updated: April 27, 2026.