Trust Center

Everything you need to verify us.

Policies, sub-processors, certifications, BAA template, and our security questionnaire - all in one place. Updated quarterly, or sooner when anything material changes.

Last updated: May 2026 Reviewed quarterly

Compliance

Current attestations.

Active certifications and the next audit window for each.

HIPAA ● Active

BAA signed with every customer at onboarding. Annual risk assessment.

SOC 2 Type II ● Active

Audited continuously. Next report window: Q3 2026.

HITECH ● Active

Encrypted at rest (AES-256) and in transit (TLS 1.3).

ISO 27001 In progress

Targeted certification: Q4 2026.

Documents

Policies and templates.

Request access and our security team will share a link. Most reviews close in under 24 hours.

📄 BAA template

Standard Business Associate Agreement, signable as-is or with customer redlines.

View BAA →

📋 Security questionnaire

Pre-filled CAIQ / SIG Lite. Custom questionnaires returned in 5 business days.

Request →

🛡 SOC 2 Type II report

Under NDA. Shared with prospects and customers on request.

Request →

🔍 Penetration test summary

Annual third-party pentest. Executive summary available under NDA.

Request →

📘 Security overview

Public summary of our architecture, controls, and PHI handling.

View →

🔒 Privacy & data policy

How PHI is collected, retained, processed, and deleted.

Request →

Sub-processors

Every vendor that touches data.

Sub-processors who may handle customer data on Denticode's behalf. Customers are notified 30 days before any addition.

Sub-processorPurposeData typeRegion

Amazon Web Services Hosting infrastructure All customer data us-east-1, us-west-2, us-central

Anthropic LLM inference De-identified transcripts US

OpenAI LLM inference (failover) De-identified transcripts US

Deepgram Speech-to-text Audio + transcripts US

Supabase Application database All customer data us-east-1

Twilio SMS & voice delivery Phone numbers, messages US

Stripe Billing & payments Practice billing info US

All sub-processors are bound by a BAA where they handle PHI. PHI is never sent to model providers in identifiable form.

Talk to security

Have a question we didn't answer?

Our security team replies same-day. Send the questionnaire, ask about a control, or request a review call.

[email protected] Back to security overview