AlfredAI

Security & trust

Built for the chart, not around it.

AlfredAI is designed under clinical governance and operated to HIPAA-aligned standards. Here's how PHI, models, and clinical accountability are handled.

Security pillars

HIPAA-aligned program

Administrative, physical, and technical safeguards aligned to the HIPAA Security Rule. BAA available for all customers handling PHI.

SOC 2 in flight

SOC 2 Type I targeted, with Type II observation window to follow. Controls library mapped to AICPA TSC.

Encryption everywhere

TLS 1.2+ in transit, AES-256 at rest. Customer-isolated tenancy. Key management via cloud KMS with rotation policies.

Identity & access

SSO/SAML for clinical users, RBAC down to the agent action, and least-privilege service accounts for EMR connectors.

Resilient infrastructure

US-region cloud deployment, isolated environments, audited backups, and tested disaster-recovery runbooks.

Auditable AI by default

Every agent recommendation carries provenance, model version, and clinician sign-off — first-class data in the chart, not a sidecar log.

Clinical & AI governance

Accountability is part of the architecture.

Clinician of record

Every recommendation is reviewed and signed by a clinician. AlfredAI never acts autonomously on patient care.

Model governance

Versioned models, evaluation harness against clinical scenarios, and human-in-the-loop review for material changes.

Data minimization

We collect only the PHI necessary for the workflow. No training on identifiable patient data without explicit, contractual permission.

Incident response

Documented IR playbooks, defined notification SLAs, and customer transparency aligned to HIPAA breach standards.

Need our security package?

Architecture diagrams, BAA template, subprocessor list, SOC 2 status memo, and penetration-test summary are available under NDA for qualified prospects and customers.

Request security packet

AlfredAI is not a medical device and is not FDA cleared. Statements about SOC 2 reflect program status, not completed attestation. Specific certifications and dates available under NDA.