Security & HIPAA

Security is the foundation, not a feature.

Statelayer handles some of the most sensitive information your clinic holds — patient details, schedules, and billing. Protecting it is built into how we work, from day one.

HIPAA & your BAA

Built around HIPAA from the start.

Statelayer is designed to operate in line with the HIPAA Privacy and Security Rules. Before any protected health information is shared, we sign a Business Associate Agreement (BAA) with your clinic — the contract that spells out exactly how we safeguard the data you entrust to us, and how we may and may not use it.

We only ever handle the scheduling, billing, and patient information needed to run the parts of your clinic we serve — and we use it solely to provide and improve the service for you. Any AI-assisted features we offer operate under those same safeguards and your BAA — your data is never sold or used to train AI models.

How we protect your data

Layered safeguards, end to end.

Encryption everywhere

Data is encrypted in transit (TLS 1.2+) and at rest (AES‑256), so it's protected both on the wire and in storage.

Least‑privilege access

Role‑based access controls mean people see only what their job requires. Access to production systems is restricted, logged, and reviewed.

Hardened infrastructure

Statelayer runs on enterprise‑grade cloud infrastructure, with physical, network, and platform security maintained by leading providers.

Monitoring & audit trails

Activity is logged and monitored so we can detect, investigate, and respond quickly to anything out of the ordinary.

Resilient & backed up

Regular encrypted backups and redundancy keep your data durable and available when your clinic needs it.

Secure by development

Security review is part of how we build and ship — considered as we design, not bolted on after the fact.

Your data, your control

Your data belongs to you.

  • You can export your data at any time — it's yours, and you're never locked in.
  • We never sell your data, and we never use patient information for advertising.
  • We use your data only to operate and improve the service for you, as defined in your agreement.
  • If you leave, we return or delete your data according to your BAA and our agreement.
Compliance & documentation

Held to a high bar — and raising it as we grow.

We hold ourselves to HIPAA standards today, and as we grow we continue investing in formal, independent security practices and assessments. If your clinic needs specific documentation — a signed BAA, a security overview, or answers for your own compliance review — just ask and we'll walk you through it.

Common questions

Frequently asked.

Is Statelayer HIPAA compliant?

Yes. Statelayer is designed to operate in line with the HIPAA Privacy and Security Rules, and protecting your clinic's data is built into how we work from day one.

Do you sign a Business Associate Agreement (BAA)?

Yes. Before any protected health information is shared, we sign a BAA with your clinic that spells out exactly how we safeguard your data and how we may and may not use it.

Who owns our clinic's data?

You do. You can export your data at any time, we never sell it or use patient information for advertising, and if you leave we return or delete it according to your BAA.

How is our data protected?

Data is encrypted in transit (TLS 1.2+) and at rest (AES‑256), access is role-based and least-privilege, and activity is logged and monitored on hardened, enterprise-grade cloud infrastructure with regular encrypted backups.

Do you have SOC 2 certification?

We hold ourselves to HIPAA standards today and continue investing in formal, independent security assessments as we grow. If you need specific documentation for your compliance review, reach out and we'll walk you through where we are.

Questions before you trust us with your clinic's data?

We're happy to talk through how we protect it. Reach out, or request our BAA and security overview at .

Reach out →