Security architecture for clinical data. Audit-ready by default.
This page is written for the people who have to defend the decision: compliance officers, privacy officers, and IT leaders evaluating Signal on behalf of a clinical team. Below is the full technical and procedural picture — what we encrypt, what we never store, who can see what, what happens in an incident, and how to get every artifact you'd expect from an enterprise vendor.
Or jump to: what we never store · encryption · frameworks · access controls · infrastructure · incident response · residency · disclosure policy
Data minimization
What we never store.
The most defensible data is the data that does not exist. Signal is designed so that several categories of sensitive content cannot be retrieved, even by us, because they were never persisted in the first place.
No raw session audio
Audio is processed in memory during the session and discarded the moment the transcript is produced. We do not write raw audio to disk, do not retain it for QA, and cannot retrieve it because it never existed at rest. This is an architectural guarantee, not a policy promise.
No third-party data sharing
PHI is never sold, syndicated, or shared with advertisers, data brokers, marketing networks, or analytics vendors. The only third parties that touch PHI are sub-processors required to deliver the service — each under a signed BAA or DPA.
No training on customer data
Your client transcripts, notes, and clinical content are not used to train Signal's models, OpenAI's models, Anthropic's models, Deepgram's models, or any third-party foundation model. Customer data is excluded from model training by contract with every model provider we use.
No silent retention after deletion
When a customer deletes a record, it is purged from primary storage within 24 hours and from encrypted backups within 35 days. We do not maintain shadow copies, archive tiers, or offline tape backups that survive deletion. Confirmation is logged and exportable.
Encryption
AES-256 in transit. AES-256 at rest. TLS 1.2+ everywhere.
Encryption is foundational, not optional. Every bit of PHI is encrypted before it leaves the browser, while it crosses our network, and while it sits at rest. Keys are managed in Google Cloud KMS with envelope wrapping for the most sensitive fields.
In transit
TLS 1.2+ enforced on every external endpoint, with HSTS preload, automated certificate rotation, and modern cipher suites only. Internal service-to-service traffic inside our private VPC is mutually authenticated.
At rest
AES-256 with envelope encryption. Cloud SQL, Firestore, Cloud Storage, and backup snapshots are all encrypted using Google-managed keys with per-customer envelope wrapping for the most sensitive PHI fields.
In memory
Session audio is held in process memory only for the duration of live transcription, then immediately discarded. We do not write audio to swap, scratch disks, or temporary files.
Backups
Backups are encrypted at rest, geographically isolated, access-logged, and rotate on a 35-day window. Restore tests run quarterly and are documented in the security overview deck.
Signed BAAs and DPAs
We sign HIPAA Business Associate Agreements with every paid US customer and Data Processing Agreements with every paid Canadian customer. Our standard templates are available before purchase, and we accept reasonable redlines from clinics and group practices. Email security@signalehr.com to request the current versions.
Compliance frameworks
Every jurisdiction we serve, on the record.
We map our controls to each framework that governs the customers we serve. Where a framework requires a written agreement, we provide one. Where it requires an artifact (PIA, IMA, breach register), it's available. Where we are still in audit, we say so plainly.
| Framework | Region | Scope | Status |
|---|---|---|---|
HIPAA Signed BAAs available with every paid customer. Administrative, physical, and technical safeguards mapped to 45 CFR §164.308–§164.312. Annual risk analysis on file. | United States | All US healthcare PHI | Compliant |
PIPEDA Privacy Officer designated. Consent, accuracy, safeguard, and openness principles implemented. Breach reporting per the Digital Privacy Act. | Canada (federal) | Personal information in commercial activity | Compliant |
PHIPA Health Information Custodian role acknowledged in customer agreements. Lockbox capability supported on request. IPC Ontario notification procedures documented. | Ontario | Personal Health Information | Compliant |
Law 25 Privacy Impact Assessments performed for each high-risk processing activity. Cross-border transfer disclosures included in customer agreements. Right to portability supported. | Quebec | Personal information protection | Compliant |
HIA Information Manager Agreement template available. Privacy Impact Assessment artifacts shareable with the OIPC on request. | Alberta | Health Information Act | Compliant |
PIPA BC residency considerations addressed in DPA. Notification procedures aligned with the Office of the Information and Privacy Commissioner for BC. | British Columbia | Personal Information Protection Act | Compliant |
SOC 2 Controls mapped to the Trust Services Criteria. Type I report planned for the current fiscal year. Vendor attestations available for downstream sub-processors (Google Cloud, Stripe, Stedi, TELUS). | Infrastructure controls | Security, availability, confidentiality | Aligned (audit in progress) |
42 CFR Part 2 Patient consent capture for SUD record disclosure built into intake. Re-disclosure restrictions enforced in the data layer. Consent revocation logged and effective immediately. | United States | Substance Use Disorder records | Supported |
GFE / NSA Good Faith Estimates generated automatically for self-pay clients at intake and on schedule changes. Disclosure language tracked per state requirements. | United States | No Surprises Act — Good Faith Estimates | Built in |
Compliance posture is reviewed quarterly. The full PIA library, BAA, DPA, and current sub-processor list are available on request to security@signalehr.com.
Access controls
The right people. The right data. Logged.
Authentication, authorization, and audit are treated as one system. Every access decision is policy-driven, every PHI touch is logged, and every administrative action against an account is attributable to a real person.
Role-based access (RBAC)
Four built-in roles — owner, admin, practitioner, receptionist — each with explicit, audited permission scopes. Practitioners see only their own clinical content unless explicitly granted; receptionists never see clinical notes; admins see scheduling and billing without clinical content unless they hold a clinical role themselves.
Per-PHI audit logging
Every read, write, export, and deletion of PHI is recorded with actor, timestamp, IP, user-agent, and the specific record touched. Logs are append-only, retained for the minimum required by jurisdiction, and exportable for breach investigations or audits in machine-readable form.
Multi-factor authentication
MFA is required by default for all roles that can access PHI. Owner and admin roles cannot disable MFA for themselves. TOTP authenticator apps and WebAuthn security keys are both supported. SMS-based codes are not used as a primary factor for PHI access.
OTP-based passwordless auth
Email-delivered single-use codes with short expiry replace shared, reused, and phished passwords. Combined with MFA, this eliminates an entire class of credential-stuffing attacks. Rate limits and lockout thresholds are enforced at the edge.
JWT session management
Sessions use signed JWTs with short access-token lifetimes, refresh-token rotation, and server-side revocation. Logging out, role changes, password resets, and admin lockout actions all invalidate active sessions across devices.
Least-privilege service accounts
Internal services run with narrowly scoped IAM identities. Production database credentials are never committed, rotated automatically, and accessible only to the runtime that needs them. Engineer access to production is broken-glass and fully audited.
Built-in roles
Four roles. Explicit boundaries.
| Role | Clinical content | Schedule | Billing | Settings |
|---|---|---|---|---|
| Owner | Own + on grant | All | Full | Full |
| Admin | None by default | All | Full | Full |
| Practitioner | Own only | Own + book others | Own only | Profile only |
| Receptionist | None — ever | View all + book any | None | Profile only |
Infrastructure
Hardened by default.
Signal runs on Google Cloud Platform under a signed BAA. The production environment is a private VPC with no internet-exposed databases, scoped IAM identities for every service, and a deploy pipeline that produces traceable, rollback-safe revisions.
Google Cloud — us-central1
Primary workloads run on Cloud Run in us-central1 (Iowa, USA), with multi-zone redundancy. Google Cloud holds HIPAA BAA, ISO 27001/27017/27018/27701, SOC 1/2/3, FedRAMP High, and PCI DSS attestations.
Private VPC, no public databases
Cloud SQL and Firestore are reachable only from inside the production VPC. There is no internet-exposed database endpoint. Egress is restricted to a known allowlist of payment processors, clearinghouses, model providers, and observability vendors.
Cloud SQL with row-level encryption
Highly sensitive PHI fields (clinical notes, transcripts, intake answers, payment metadata) carry an additional application-layer encryption envelope keyed per customer. Even a database compromise alone would not yield plaintext clinical content.
Hardened build & deploy pipeline
Builds run in isolated, ephemeral environments. Container images are scanned for known vulnerabilities. Production deploys are gated by required review and traceable from commit SHA to running revision. Rollbacks are one-click and audited.
Current sub-processors
| Vendor | Purpose | Region |
|---|---|---|
| Google Cloud Platform | Hosting, storage, networking | US (us-central1) |
| Deepgram | Speech-to-text (no model training on customer data) | US |
| OpenAI / Anthropic | Language model inference (no training, zero-retention APIs) | US |
| Stripe | Payment processing | US (PCI DSS Level 1) |
| Stedi | US insurance clearinghouse (837P / 270/271 / ERA) | US |
| TELUS Health | Canadian insurance direct billing (eClaims) | Canada |
| Twilio | SMS, voice, and number provisioning for Voice Amelia | US |
| LiveKit | WebRTC for HIPAA-compliant native video | US (BAA) |
Sub-processors change occasionally. Customers receive 30 days' notice of any new sub-processor that handles PHI, with the right to object.
Incident response
When something goes wrong, you hear from us first.
Our incident response policy commits to 24-hour breach notification — well ahead of the 60-day HIPAA deadline. Every customer-affecting security incident is followed by a public, blameless post-mortem.
T + 0
Detection
Anomaly detection on auth events, data egress, and IAM changes routes alerts to the on-call security responder within minutes.
T + 1h
Triage
Incident commander assigned. Scope, impact, and likely attack vector documented. Customer-facing status page updated for any user-affecting incident.
T + 24h
Notification
If PHI was reasonably likely to be accessed by an unauthorized party, affected customers are notified within 24 hours of confirmation, well ahead of the 60-day HIPAA breach notification deadline.
T + 5d
Containment & recovery
Root cause identified, fix deployed, residual access revoked, evidence preserved for forensics. Affected records audited end-to-end.
T + 14d
Public post-mortem
A blameless post-mortem is published for any customer-affecting security incident, with timeline, root cause, customer impact, and concrete remediation steps.
Data residency & portability
You own your data. We just hold it carefully.
The customer is the data controller. Signal is the data processor. That means you get full export, full deletion, and a clear answer about where your data physically lives.
United States
Cloud Run + Cloud SQL + Firestore in us-central1 (Iowa). PHI does not leave US territory for US customers, except for transient processing by sub-processors disclosed in the BAA.
Canada
Canadian customer data is currently processed in us-central1 under contractual safeguards disclosed in the DPA. Migration to a northamerica-northeast1 (Montréal) region is on the roadmap for Canadian residency by default.
Customer-controlled data export
GDPR-style portability. Your data, in formats you can read without us.
- Full export of clients, appointments, notes, and billing history in machine-readable formats (JSON + CSV) on demand.
- PDF export of any clinical note, with the original signature timestamp preserved.
- Right of access, correction, and erasure handled within 30 days of request, in line with PIPEDA, GDPR-style portability, and Law 25.
- Account closure includes a 30-day grace window for self-service export, then a verified purge with a written confirmation.
Pen-testing & disclosure
Find a flaw. Tell us. We'll thank you.
We engage independent security firms for periodic penetration testing against the production environment, and we welcome good-faith vulnerability reports from the security research community. Reports go to security@signalehr.com.
For PGP-encrypted communication, request our key in your initial report and we'll respond with our current public key fingerprint.
Our commitments to reporters
- Acknowledge receipt of any vulnerability report within 2 business days.
- Provide a remediation timeline for confirmed issues within 10 business days.
- Credit the reporter publicly (with consent) once the issue is resolved.
- Do not pursue legal action against good-faith researchers who follow our policy.
Out of scope
Social engineering of staff or customers, denial-of-service attacks, automated scanner output without manual validation, and any testing against customer accounts you do not own.
For your security review
Questions a compliance officer would ask.
Need something not covered here? Email security@signalehr.com — a real human reads every message and replies within two business days.
Will you sign our BAA?+
Yes. We sign Business Associate Agreements with every paid US customer, and Data Processing Agreements with every paid Canadian customer. Our standard BAA is available on request before purchase, and we accept negotiated redlines from larger practices and clinic groups within reason.
Where is our data physically stored?+
Primary storage is in Google Cloud's us-central1 region (Iowa, United States). Backups remain inside the same multi-region boundary. Canadian customer data is currently processed in us-central1 under contractual safeguards; a northamerica-northeast1 (Montréal) region is on our roadmap for Canadian residency by default.
Do you train AI models on our clinical data?+
No. Customer transcripts, notes, and clinical content are excluded from model training by contract with every model provider we use, including Deepgram, OpenAI, and Anthropic. We use zero-retention API endpoints where available, and our internal models are trained on synthetic and licensed datasets only.
What happens to session audio?+
Audio is processed in memory for transcription and immediately discarded. We do not write raw audio to disk. The transcript and the structured clinical signals derived from it are what get stored, with explicit consent. This is an architectural property of the system, not a policy that could be reversed.
How quickly will you notify us in a breach?+
Within 24 hours of confirming that PHI was reasonably likely to have been accessed by an unauthorized party. This is well ahead of the 60-day HIPAA breach notification window and the equivalent windows under PIPEDA, PHIPA, and Law 25. Notification includes scope, what data was involved, and the steps we are taking.
Can we get a SOC 2 report?+
Our infrastructure is SOC 2-aligned today, and a Type I audit is in progress. In the meantime we provide a security overview deck, sub-processor list, BAA, DPA, and Privacy Impact Assessment template. Email security@signalehr.com to request the package.
Who can see clinical notes inside our practice?+
By default, only the authoring practitioner. Owners and admins can grant explicit access for supervision or coverage, and every grant is logged. Receptionists never see clinical content. Audit logs are reviewable by owners at any time and exportable for compliance reviews.
How do we report a security issue?+
Email security@signalehr.com. We acknowledge reports within 2 business days, provide a remediation timeline for confirmed issues within 10 business days, and credit researchers publicly with their consent. We do not pursue legal action against good-faith reporters.
Need the full picture for your security review?
Our security overview deck includes the full control matrix, sub-processor list, BAA template, DPA template, PIA artifacts, network diagram, and current sub-processor attestations. Sent under NDA on request.
Vulnerability reports: security@signalehr.com