Healthcare-grade compliance, end-to-end.

Data architecture

Emma queries your existing systems — EHR, RPM, lab (LIS), scheduling, patient app — in real time, via the APIs those systems already expose. She never touches the underlying EMR data store directly. Clinical data — patient names, vitals, lab results, device readings, risk scores, conversation content — remains in your systems. We persist only metadata: opaque conversation logs that reference patient IDs from your systems (not names, dates of birth, or other identifiers), audit events, and tenant configuration.

BAAs in our vendor chain

Every vendor in the path of an Emma transaction has a signed Business Associate Agreement with Jolabdan Group LLC:

• Anthropic — LLM provider (Claude API)
• D-ID — streaming avatar
• Supabase — auth + metadata storage (Team plan)
• Google Firebase / GCP — hosting + infrastructure
• OpenAI — if used for any embeddings or Whisper STT, signed
• Sentry — if used for error tracking, signed

We sign a BAA with every partner customer. The partner BAA is a non-negotiable element of every License Agreement.

Technical controls

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Authentication: Supabase Auth with optional SAML/OAuth SSO
• Authorization: role-based access control enforced by JWT claims and PostgreSQL Row-Level Security
• Session management: 30-minute idle timeout with automatic re-auth
• Biometric login on mobile (Face ID, Touch ID, Android equivalents)
• Audit logging on every patient lookup, Emma conversation turn, and administrative action
• Log scrubbing: PHI never written to console, error tracking, or analytics
• Security headers: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP

Independent assessment

• Penetration testing: independent annual pen-test, first one scheduled before our first paid clinical deployment
• SOC 2 Type I: in progress (target: within 6 months of first signed License Agreement)
• SOC 2 Type II: planned within 18 months of Type I issuance
• HIPAA Security Risk Assessment: completed quarterly

Incident response

We maintain a written Incident Response Plan with breach notification SLAs aligned to HIPAA requirements (60 calendar days from discovery, with notification to the customer Privacy Officer within 5 business days). Customer contracts include detailed breach-handling protocols.

Data residency

Default: US data residency on Google Cloud Platform. Customers requiring specific region pinning (e.g., a state-specific health system) can request isolation in a dedicated GCP project at a premium tier.