Riley
Get Free Scan

Security and trust

Built to earn the BAA and the audit.

audit the outcome · verify activation · prove it every Friday

Riley processes patient data on behalf of dental practices, and we treat that responsibility with the gravity it deserves: HIPAA-aware architecture, SOC 2 readiness in progress (Type II audit timing is readiness-gated, and no certification is claimed before a completed report exists), OAuth-only integrations (we never see your tokens), encrypted at rest and in transit, and no model training on customer data.

Compliance status

Honest, current, no fake claims.

Live today

  • HIPAA-aware architecture, BAA where required
  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Automatic PII scanning on every AI output
  • OAuth-only auth (we never store API keys)
  • Patient data never used for AI model training
  • Append-only audit log of every action
  • Per-tenant data isolation

In progress

  • SOC 2 certification not claimed
  • ISO 27001 (planned)
  • Penetration test reports (annual, on request under NDA)

Architecture

How patient data flows.

  1. Customer authorizes via OAuth. Slack, Teams beta, Google, and payer-network connections happen via standard OAuth flows. We never see usernames, passwords, or long-term API keys. Refresh tokens are stored encrypted server-side, scoped to the smallest read/write permissions needed.

  2. Data flows in encrypted. Reviews, calls, claims, and intake forms arrive over TLS 1.3. Stored in a managed PostgreSQL instance with at-rest encryption. Per-tenant logical isolation is enforced at the database row level.

  3. PII scan before AI processing. An automatic PII scanner inspects every input for protected categories. Flagged content gets routed through a stricter prompt path or held for owner review.

  4. AI inference, no retention upstream. AI processing happens with our model provider under commercial terms that prohibit training on customer data and bound retention. Customer data is not visible to engineers in normal operations.

  5. Output reviewed by you. Every patient-facing output (review reply, SMS, claim resubmission) appears in your Slack, email, or Teams beta for explicit approval. We do not auto-send anything that touches a patient.

  6. Audited and deletable. Every Riley action is logged to an append-only audit ledger. You can request export or deletion at any time per the Data Processing Addendum (30-day SLA for HIPAA, 45 days for CCPA, 30 days for GDPR).

For DSO and enterprise

What we provide on request.

Documents

  • Business Associate Agreement (BAA)
  • Data Processing Addendum (DPA)
  • Master Subscription Agreement
  • Pen test summaries (NDA, on request)
  • Subprocessor list (always public)

Security review support

  • Security questionnaire (CAIQ-Lite, SIG-Lite)
  • Architecture call with the engineering team
  • Custom data residency on Pro and up
  • Custom retention policies
  • Single sign-on (SSO), Pro tier
  • Dedicated success manager, Pro tier

Email privacy@hireriley.com for any of the above.

A question we did not answer? Ask us.

Compliance, architecture, integrations: we will send the answer.

privacy@hireriley.comOr contact form