Security & Compliance

Protecting your Med Spa data with HIPAA-compliant & SOC 2 Type 2 certified infrastructure and signed Business Associate Agreements.

1. Our Compliance Posture

MedSpas.AI (Nick Dan Consulting LLC) operates as a HIPAA Business Associate for Med Spa clients. We implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI) in accordance with 45 CFR Parts 160 and 164.

Every client engagement is governed by a signed Business Associate Agreement (BAA) that defines our obligations for safeguarding patient data before any data processing begins.

Our infrastructure is built exclusively on platforms that maintain their own HIPAA compliance programs, sign BAAs with us, and hold independent SOC 2 Type 2 certifications.

2. Infrastructure Partners & Certifications

Amazon Web Services (AWS)

AI processing, email delivery, text-to-speech, embeddings.

  • SOC 2 Type 2 certified
  • ISO 27001 certified
  • HIPAA eligible services with signed BAA
  • FedRAMP authorized

Supabase

Database, authentication, file storage.

  • SOC 2 Type 2 certified
  • HIPAA compliant with signed BAA (Pro plan + HIPAA add-on)
  • Data encrypted at rest and in transit

Vercel

Website and dashboard hosting.

  • SOC 2 Type 2 certified
  • ISO 27001 certified
  • All traffic encrypted via TLS

Twilio

SMS and voice communication.

  • SOC 2 Type 2 certified
  • HIPAA eligible with signed BAA

Stripe

Payment processing.

  • SOC 2 Type 2 certified
  • PCI DSS Level 1 certified
  • No PHI stored in Stripe. Patient identifiers are opaque UUIDs only. Subscription descriptions use generic terms.

3. What This Means for Your Med Spa

  • Data isolation. Each client operates in a dedicated Supabase project with Row Level Security (RLS) enforced on all tables containing patient data.
  • Encryption everywhere. Data is encrypted at rest in the database and in transit via TLS for all connections.
  • Audit logging. All access to patient data is recorded in an append-only audit log for compliance reporting.
  • No PHI in AI training. Patient data sent to AWS Bedrock for AI processing is not used to train models and does not leave your AWS account boundary.
  • Incident response. We maintain a documented incident response plan with breach notification procedures that comply with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

4. SOC 2 Statement

MedSpas.AI builds exclusively on SOC 2 Type 2 certified platforms. AWS, Supabase, Vercel, Twilio, and Stripe each maintain independent SOC 2 Type 2 audit reports covering Security, Availability, and Confidentiality trust service criteria.

Our infrastructure partners' SOC 2 reports are available upon request through their respective trust centers. We are happy to assist with vendor security questionnaires related to our technology stack.

5. Questions?

For compliance inquiries, security questionnaires, or to request a copy of our Business Associate Agreement, please contact us.

Privacy PolicyTerms of Service