Security & trust

A platform you can
show your auditor.

Pulse handles protected health information and patient money. We built it the way we wish our own bank built theirs — transparent, auditable, locked down by default.

HIPAA-aligned, day one

BAA available before kickoff. PHI is encrypted in transit (TLS 1.3) and at rest (AES-256). Access tightly scoped by role and per-practice. Audit logs are immutable and retained for the regulatory minimum plus your contract's extra window.

BAA chain that's actually short

Pulse → Supabase (HIPAA-eligible, BAA) → Anthropic (BAA via Claude API). Clerk handles staff-only auth and never touches PHI. One contract, one liability boundary — no surprise sub-processors hidden in an appendix.

Your patient records never leave your office

Tier 1 (Insights default): the Pulse Connector computes aggregates locally on your Open Dental server and ships only de-identified rollups to the cloud. Your patient names, chart numbers, and clinical detail stay inside your network.

Tier 2 — full PHI, opt-in

Remit and a handful of advanced Insights features require full PHI access (so we can post the right ClaimProc, draft the appeal, render the EOB). That tier is gated behind a countersigned BAA and explicit configuration — never on by default.

Audit trail that holds up

Every Pulse action is logged twice — into Pulse's immutable audit store and into Open Dental's SecurityLogs. The two stores stay in sync; if they diverge, Pulse halts until the discrepancy is investigated.

SOC 2 Type II in progress

Type I controls documented. Audit window opened. Targeting Q4 2026 attestation. Your account team can share the in-progress letter once the BAA is countersigned.

Tier 1 vs Tier 2

We default to the safest tier.

Insights runs on Tier 1 — your patient records never leave your office. Tier 2 unlocks Remit and a handful of PHI-dependent Insights features. You decide when (or if) to opt in.

Tier 1 · default for Insights

Aggregates only.

The Pulse Connector runs on your Open Dental server. It computes KPI rollups locally — production totals, A/R buckets, hygiene percentages — and ships only de-identified numbers to the Pulse cloud. Your patient names, chart numbers, and clinical detail stay inside your network.

  • · No PHI leaves your office.
  • · BAA optional (recommended).
  • · Powers all default Insights dashboards.

Tier 2 · required for Remit

Full PHI access, gated.

Remit needs full PHI to post the right ClaimProc, draft the appeal that cites the right chart, and render the EOB next to the patient's claim. Tier 2 is gated behind a countersigned BAA and explicit per-organization configuration. Never on by default.

  • · BAA required.
  • · PHI encrypted in transit + at rest.
  • · Every action mirrored to OD SecurityLogs.

The BAA chain

Every system PHI touches, and who's on the BAA.

No black box. Here is every component your PHI touches, what it does, and which BAA covers it.

Source of truth

Your Open Dental

OD on Windows. Pulse Connector reads via API + read-only SQL. No inbound ports.

Local agent

Pulse Connector

Windows service. Outbound mTLS only. One-click uninstall + revoke.

App database

Supabase (HIPAA tier)

BAA in place. PHI encrypted at rest (AES-256). HIPAA-eligible region.

AI reasoning

Claude · Anthropic

BAA via Anthropic Claude API. PHI passed only when the user runs an AI insight.

Staff authentication

Clerk

Staff-only logins. Never sees PHI. RBAC enforced at the Pulse app boundary.

Clearinghouse (Remit only)

DentalXChange / Vyne

ERAs, claim filings, appeals. TLS 1.3, scoped credentials. Carrier BAAs apply.

The Pulse Connector exposes no inbound ports on your network. Every connection from your practice is outbound, authenticated by mTLS, and revocable in one click from your Open Dental server.

Encryption

In transit and at rest.

Every byte. Every hop. Per-tenant key isolation in Tier 2.

In transit

TLS 1.3 everywhere. mTLS for the Connector.

  • · Public marketing + dashboard: TLS 1.3, HSTS preloaded.
  • · Pulse Connector → cloud: mutual TLS, client cert pinned per-practice, auto-rotated.
  • · Cloud → Open Dental API: TLS over the LAN inside your network — initiated from the Connector, never from us.
  • · Cloud → Anthropic Claude API: TLS 1.3, BAA in place.

At rest

AES-256 column-level on PHI.

  • · Supabase Postgres: AES-256 at the storage layer, column-level encryption on PHI tables in Tier 2.
  • · Backups: encrypted at rest, retained 30 days, restorable to a point-in-time.
  • · Secrets: Cloudflare Workers Secrets + Supabase Vault. No secrets in source.
  • · EOB PDFs: encrypted in object storage, scoped per-org.

Sub-processors

Every vendor PHI touches.

Listed in full, with role, location, PHI exposure, and BAA status. We notify you 30 days before adding a new sub-processor that touches PHI.

VendorRoleLocationPHI exposureBAA
SupabaseApplication databaseUS (HIPAA-eligible region)PHI at rest (Tier 2 only)Signed
ClerkStaff authenticationUSNo PHI — staff identity onlyNot required
Anthropic (Claude API)AI reasoning layerUSPHI in transit on Tier 2 AI callsSigned
CloudflareCDN + Workers runtimeGlobal (US edge for PHI routes)TLS-only — no PHI persistedSigned
StripePayment processingUSPatient names + amounts onlySigned (Stripe Healthcare)
ResendTransactional emailUSNo PHI in email body — links onlyNot required

Last reviewed May 2026. We re-validate quarterly. New sub-processors that touch PHI trigger a 30-day customer notification before activation. If you require pre-approval rights, that's included in the DSO and Multi+ contracts.

Incident response

What happens when something breaks.

We've never had a customer-facing PHI incident. The playbook below is the one we'd run if we did.

0-1 hr

Detect + contain

On-call engineer triages. If PHI is even potentially in scope, we freeze writes from the suspected surface, snapshot the audit log, and start the incident-room channel.

1-24 hr

Notify + investigate

Customer security contact paged within 1 hour for any confirmed PHI exposure. Root-cause kicked off by an engineer not on the original on-call. Status page updated hourly.

24-72 hr

Report + remediate

Written post-mortem to affected customers within 72 hours, including HHS-aligned breach notification language if applicable. Remediation tickets land in the next sprint with named owners.

Security contact: security@alfoai.com (PGP key available on request). Responsible-disclosure program live; full Vulnerability Disclosure Policy is in the security packet.

Ask your compliance officer.

We have answers — BAA template, sub-processor list, security questionnaire (CAIQ Lite), pen-test summary. Tell us what you need.