LimitedFree AI Scaling Call for Med Spas

Security & Compliance

Last updated: June 10, 2026

We sign a Business Associate Agreement (BAA) with every client and architect services so MedSpas.AI does not actively touch Protected Health Information (PHI). Level 3 or Level 4 engagements activate the BAA’s full PHI scope with HIPAA-grade infrastructure.

1. Our Compliance Posture

MedSpas.AI (Nick Dan Consulting LLC) signs a Business Associate Agreement (BAA) with every client at engagement start. We operate as a HIPAA Business Associate and follow HIPAA’s administrative, physical, and technical safeguards (45 CFR Parts 160 and 164).

Beyond the BAA’s universal protective coverage, our Audit, Build, and Support services are deployed to client-owned infrastructure (the client’s AWS, Supabase, Vercel, and other vendor accounts). This Pure Client-Hosts architecture is designed so that MedSpas.AI does not actively create, receive, maintain, or transmit Protected Health Information (PHI) during default engagements. The BAA is in place to protect both parties for any incidental or unintended PHI access.

Level 3 or Level 4 engagements involve active PHI processing by MedSpas.AI on Consultant-Managed Infrastructure, governed by the same BAA framework supplemented by HIPAA-grade vendor add-ons (Supabase HIPAA, Vercel HIPAA, Twilio HIPAA) and additional fees reflecting the operational scope.

The BAA covers any unexpected PHI access. The architecture minimizes PHI exposure during default engagements. Compliance is reviewable in code, not just paperwork.

2. Infrastructure Partners & Certifications

2A. Our Service Operations (Default Engagements)

The following vendors are used by MedSpas.AI for our own business operations (website hosting, internal admin portal, marketing outreach, payment processing). These vendors do not handle client patient data under default engagements (Audit, Build, Support); client patient data, when handled by systems we build, lives entirely within the client’s own infrastructure under the Pure Client-Hosts architecture described in Section 1.

  • Vercel: Website hosting (medspas.ai). SOC 2 Type 2 certified, ISO 27001 certified.
  • Supabase: Internal admin portal database. SOC 2 Type 2 certified.
  • Twilio: SMS for cold outreach marketing (non-PHI use). SOC 2 Type 2 certified.
  • Stripe: Payment processing. SOC 2 Type 2 certified, PCI DSS Level 1 compliant. No PHI stored.
  • Anthropic Claude: AI inference for marketing content, development, and internal automation. Not BAA-covered; used only for non-PHI work.
  • Cloudflare: Turnstile bot detection + CDN. SOC 2 Type 2 certified.

2B. Active BAAs (Available for Level 3 or Level 4 Engagements)

The following vendors have active Business Associate Agreements with MedSpas.AI. These BAAs are dormant under default engagements (no PHI handled) and become active when a Level 3 or Level 4 engagement involving PHI processing is contracted.

  • Amazon Web Services (AWS): SOC 2 Type 2 certified, ISO 27001 certified, HIPAA-eligible, FedRAMP authorized. BAA executed via AWS Artifact (March 17, 2026). Covers Bedrock (AI inference), Polly (TTS), EC2, S3, and other HIPAA-eligible services.
  • Paubox: HITRUST CSF certified, SOC 2 Type 2 certified, HIPAA-compliant encrypted email. BAA executed.
  • Fathom: Call transcription. BAA executed.
  • Deepgram: SOC 2 Type 2 certified speech-to-text processing for voice AI. BAA executed (March 27, 2026).
  • Google Workspace: Business documents and storage. BAA executed.

2C. Pending BAAs (Activate Upon Level 3 or Level 4 Engagement)

The following vendors would require BAA activation upon Level 3 or Level 4 engagement signing. They are not in active BAA status under default engagements because default engagements do not handle PHI:

  • Supabase: Team plan + HIPAA add-on (BAA activates on upgrade).
  • Vercel: Pro plan + HIPAA BAA add-on.
  • Twilio HIPAA Edition: Required for any PHI-handling voice/SMS.

3. What This Means for Your Med Spa

  • BAA executed with every client. We sign a Business Associate Agreement at engagement start as standard practice. The BAA covers both parties for incidental or unintended PHI access during the engagement.
  • Default engagements: no active patient data processing. Under Audit, Build, and Support engagements, MedSpas.AI does not actively store, process, or transmit your patients’ Protected Health Information. Patient data, when collected by systems we build for you, lives entirely within your own infrastructure (your AWS, Supabase, Vercel, and other vendor accounts).
  • Compliance-by-architecture. Systems we design for you are architected so that PHI does not need to flow through MedSpas.AI servers, accounts, or vendors. This is reviewable in architecture diagrams and code, not just paperwork.
  • Client owns their compliance. Your organization remains responsible for your own HIPAA compliance program, including workforce training, policies and procedures, breach notification, and any BAAs you maintain with your own vendors.
  • Level 3 or Level 4: active BAAs available. If your engagement requires PHI processing on Consultant-Managed Infrastructure (Level 3 or Level 4), MedSpas.AI executes a separate BAA before any PHI processing begins, and the active BAAs listed in Section 2B apply.

4. SOC 2 Statement

MedSpas.AI uses SOC 2 Type 2 certified vendor infrastructure for our own operations (Section 2A) and for any Level 3 or Level 4 engagement (Section 2B). MedSpas.AI does not independently hold a SOC 2 Type 2 certification. The SOC 2 certifications referenced on this page are vendor certifications, not MedSpas.AI’s own.

Vendor SOC 2 reports are available upon request through the respective vendors’ trust centers. We are happy to assist with vendor security questionnaires related to our technology stack.

5. Questions?

For compliance inquiries, security questionnaires, or to request a copy of our Business Associate Agreement, please contact us.

Privacy PolicyTerms of Service