NoteRise is built for behavioral health and care management teams who can't afford to compromise on privacy. Here's exactly how we protect the data you trust us with.
NoteRise does not sell, rent, or share your personal information or patient data with third parties for marketing or advertising purposes — under any circumstances. We don't use your clinical data to train AI models or build profiles. Full stop.
General-purpose AI tools weren't designed with HIPAA in mind. NoteRise was. Every architectural decision — from how notes are generated to where data lives — was made with your compliance obligations and your patients' privacy as the baseline.
We operate as a HIPAA Business Associate and execute BAAs with every client organization before any PHI is processed.
Our security program is actively monitored and audited. SOC 2 Type II certification is underway, tracked continuously via Vanta.
All data is stored and processed in AWS US regions. A BAA is in place with AWS covering all relevant services.
Client organizations can request deletion of all their data at any time. We process requests within 30 days.
No legal jargon. Here's what NoteRise commits to every organization that trusts us with patient data.
Your data stays in the US. All storage and processing happens in AWS US regions. We don't move data across borders.
Encryption everywhere. AES-256 at rest, TLS 1.2+ in transit. Every byte of PHI is encrypted end-to-end.
We don't mingle your data. Each client organization's data is logically isolated. Your notes are never mixed with another organization's.
Full audit trail. Every access and authentication event is logged immutably via AWS CloudTrail — ready for compliance audits at any time.
BAAs for everyone in the chain. NoteRise signs a BAA with your organization. Every subprocessor that touches PHI has a BAA with us.
Breach notification. In the event of a security incident affecting your data, we will notify you promptly in accordance with HIPAA and your BAA.
We're happy to walk through our security practices, share documentation, or execute a BAA. Reach out directly.