Security & trust
A platform you can
show your auditor.
Pulse handles protected health information and patient money. We built it the way we wish our own bank built theirs — transparent, auditable, locked down by default.
HIPAA-aligned, day one
BAA available before kickoff. PHI is encrypted in transit (TLS 1.3) and at rest (AES-256). Access tightly scoped by role and per-practice. Audit logs are immutable and retained for the regulatory minimum plus your contract's extra window.
BAA chain that's actually short
Pulse → Supabase (HIPAA-eligible, BAA) → Anthropic (BAA via Claude API). Clerk handles staff-only auth and never touches PHI. One contract, one liability boundary — no surprise sub-processors hidden in an appendix.
Your patient records never leave your office
Tier 1 (Insights default): the Pulse Connector computes aggregates locally on your Open Dental server and ships only de-identified rollups to the cloud. Your patient names, chart numbers, and clinical detail stay inside your network.
Tier 2 — full PHI, opt-in
Remit and a handful of advanced Insights features require full PHI access (so we can post the right ClaimProc, draft the appeal, render the EOB). That tier is gated behind a countersigned BAA and explicit configuration — never on by default.
Audit trail that holds up
Every Pulse action is logged twice — into Pulse's immutable audit store and into Open Dental's SecurityLogs. The two stores stay in sync; if they diverge, Pulse halts until the discrepancy is investigated.
SOC 2 Type II in progress
Type I controls documented. Audit window opened. Targeting Q4 2026 attestation. Your account team can share the in-progress letter once the BAA is countersigned.
Tier 1 vs Tier 2
We default to the safest tier.
Insights runs on Tier 1 — your patient records never leave your office. Tier 2 unlocks Remit and a handful of PHI-dependent Insights features. You decide when (or if) to opt in.
Tier 1 · default for Insights
Aggregates only.
The Pulse Connector runs on your Open Dental server. It computes KPI rollups locally — production totals, A/R buckets, hygiene percentages — and ships only de-identified numbers to the Pulse cloud. Your patient names, chart numbers, and clinical detail stay inside your network.
- · No PHI leaves your office.
- · BAA optional (recommended).
- · Powers all default Insights dashboards.
Tier 2 · required for Remit
Full PHI access, gated.
Remit needs full PHI to post the right ClaimProc, draft the appeal that cites the right chart, and render the EOB next to the patient's claim. Tier 2 is gated behind a countersigned BAA and explicit per-organization configuration. Never on by default.
- · BAA required.
- · PHI encrypted in transit + at rest.
- · Every action mirrored to OD SecurityLogs.
The BAA chain
Every system PHI touches, and who's on the BAA.
No black box. Here is every component your PHI touches, what it does, and which BAA covers it.
Source of truth
Your Open Dental
OD on Windows. Pulse Connector reads via API + read-only SQL. No inbound ports.
Local agent
Pulse Connector
Windows service. Outbound mTLS only. One-click uninstall + revoke.
App database
Supabase (HIPAA tier)
BAA in place. PHI encrypted at rest (AES-256). HIPAA-eligible region.
AI reasoning
Claude · Anthropic
BAA via Anthropic Claude API. PHI passed only when the user runs an AI insight.
Staff authentication
Clerk
Staff-only logins. Never sees PHI. RBAC enforced at the Pulse app boundary.
Clearinghouse (Remit only)
DentalXChange / Vyne
ERAs, claim filings, appeals. TLS 1.3, scoped credentials. Carrier BAAs apply.
The Pulse Connector exposes no inbound ports on your network. Every connection from your practice is outbound, authenticated by mTLS, and revocable in one click from your Open Dental server.
Encryption
In transit and at rest.
Every byte. Every hop. Per-tenant key isolation in Tier 2.
In transit
TLS 1.3 everywhere. mTLS for the Connector.
- · Public marketing + dashboard: TLS 1.3, HSTS preloaded.
- · Pulse Connector → cloud: mutual TLS, client cert pinned per-practice, auto-rotated.
- · Cloud → Open Dental API: TLS over the LAN inside your network — initiated from the Connector, never from us.
- · Cloud → Anthropic Claude API: TLS 1.3, BAA in place.
At rest
AES-256 column-level on PHI.
- · Supabase Postgres: AES-256 at the storage layer, column-level encryption on PHI tables in Tier 2.
- · Backups: encrypted at rest, retained 30 days, restorable to a point-in-time.
- · Secrets: Cloudflare Workers Secrets + Supabase Vault. No secrets in source.
- · EOB PDFs: encrypted in object storage, scoped per-org.
Sub-processors
Every vendor PHI touches.
Listed in full, with role, location, PHI exposure, and BAA status. We notify you 30 days before adding a new sub-processor that touches PHI.
| Vendor | Role | Location | PHI exposure | BAA |
|---|---|---|---|---|
| Supabase | Application database | US (HIPAA-eligible region) | PHI at rest (Tier 2 only) | Signed |
| Clerk | Staff authentication | US | No PHI — staff identity only | Not required |
| Anthropic (Claude API) | AI reasoning layer | US | PHI in transit on Tier 2 AI calls | Signed |
| Cloudflare | CDN + Workers runtime | Global (US edge for PHI routes) | TLS-only — no PHI persisted | Signed |
| Stripe | Payment processing | US | Patient names + amounts only | Signed (Stripe Healthcare) |
| Resend | Transactional email | US | No PHI in email body — links only | Not required |
Last reviewed May 2026. We re-validate quarterly. New sub-processors that touch PHI trigger a 30-day customer notification before activation. If you require pre-approval rights, that's included in the DSO and Multi+ contracts.
Incident response
What happens when something breaks.
We've never had a customer-facing PHI incident. The playbook below is the one we'd run if we did.
0-1 hr
Detect + contain
On-call engineer triages. If PHI is even potentially in scope, we freeze writes from the suspected surface, snapshot the audit log, and start the incident-room channel.
1-24 hr
Notify + investigate
Customer security contact paged within 1 hour for any confirmed PHI exposure. Root-cause kicked off by an engineer not on the original on-call. Status page updated hourly.
24-72 hr
Report + remediate
Written post-mortem to affected customers within 72 hours, including HHS-aligned breach notification language if applicable. Remediation tickets land in the next sprint with named owners.
Security contact: security@alfoai.com (PGP key available on request). Responsible-disclosure program live; full Vulnerability Disclosure Policy is in the security packet.
Ask your compliance officer.
We have answers — BAA template, sub-processor list, security questionnaire (CAIQ Lite), pen-test summary. Tell us what you need.