TRUST

Security & Infrastructure

Built for healthcare from day one.

Updated October 25, 2025

At Waitly.ai, patient data security is the foundation of our platform. We employ enterprise-grade encryption, defense-in-depth infrastructure design, and strict compliance with healthcare regulations to protect your patients’ information.

Compliance & Data Privacy

HIPAA Compliance
Waitly is fully HIPAA-compliant. We execute Business Associate Agreements (BAAs) with all covered entities prior to any data exchange.
Data Ownership
Your organization retains full ownership of all patient data. Waitly does not sell, rent, or share patient PII/PHI with third parties under any circumstances.
AI Safety
  • Patient data used for AI-powered features is processed in isolated, secure environments.
  • We do not use identifiable patient data to train public or generative AI models.
  • AI processing occurs only within the context of your practice’s authorized workflows.

Cloud Infrastructure

Cloud Platform

Waitly is hosted on Google Cloud Platform, utilizing infrastructure that maintains the following certifications:

  • ISO 27001 (Information Security Management)
  • SOC 1, SOC 2, and SOC 3
  • HIPAA Compliance (with BAA)
Network Security
  • All application services operate within an isolated private network.
  • Database connections are restricted to internal traffic only — no public internet exposure.
  • All public endpoints use managed SSL certificates with automatic renewal.

Encryption

Encryption in Transit

All data transmission is encrypted using TLS 1.2+:

  • API communications between your EHR and Waitly.
  • Dashboard access for your staff.
  • Patient-facing communications.
Encryption at Rest
  • All databases are encrypted using AES-256.
  • Sensitive credentials (EHR API keys, integration secrets) are encrypted at the application level before storage.
  • All backup data is encrypted.

EHR Integration Security

Least Privilege Access

Our EHR integrations operate on a principle of least privilege. We request only the specific API scopes necessary for:

  • Reading patient demographics and contact information.
  • Reading and writing appointment schedules.
  • Accessing provider availability.
Write-Back Controls
All modifications to your EHR are strictly logged and attributable to the Waitly application, ensuring a clear audit trail.

Access Control & Monitoring

Role-Based Access Control (RBAC)
Granular permission settings ensure that only authorized personnel within your organization can access the Waitly dashboard.
Audit Logging
We maintain detailed logs of all system access and data processing activities for security audits.
Vendor Access
Waitly engineering staff have zero standing access to customer production data. Access is granted only on an as-needed basis for support, requiring temporary elevated privileges and logging.
Multi-Tenant Data Isolation
Complete logical separation ensures no cross-organization data access is possible.

Data Backup & Disaster Recovery

Automated Backups
We maintain automated backups with point-in-time recovery capabilities to ensure business continuity.
Recovery Capabilities
  • Recovery Point Objective (RPO): Minutes
  • Recovery Time Objective (RTO): Hours
  • Automatic failover for application services.

Incident Response

Disaster Recovery
Waitly maintains a documented incident response plan with continuous monitoring, defined escalation procedures, and immediate containment protocols.
Breach Notification
In the unlikely event of a security incident, Waitly will notify affected partners within 24 hours, in full accordance with HIPAA Breach Notification Rules.

Vendor Security

All third-party services we integrate with maintain HIPAA-compliant status with executed BAAs where applicable, and SOC 2 Type II certification or equivalent.

Application Security

  • Input validation on all API endpoints.
  • Protection against common vulnerabilities (SQL injection, XSS, CSRF).
  • Industry-standard HTTP security headers.
  • All API endpoints require authentication.
  • Rate limiting to prevent abuse.

We are committed to transparency and welcome questions about our security practices. Upon request, we can provide additional documentation including our HIPAA compliance attestation and Business Associate Agreement.

Request docshello@waitly.com