HIPAA compliance at DIAL3D.

Summary

DIAL3D is HIPAA-aligned. We sign a Business Associate Agreement (BAA) on every plan, including the free Trial. Protected Health Information (PHI) is processed in a HIPAA-aligned environment with logged access, encrypted transport, encrypted storage, and minimum-necessary retention defaults.

This page describes how DIAL3D implements the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule for behavioral health treatment center customers. It is not a substitute for your own facility's HIPAA program — each Covered Entity remains responsible for HIPAA compliance in its own right.

Business Associate Agreement

DIAL3D operates as a Business Associate of every customer. A BAA is included on every plan — Trial, Professional, and Enterprise — and is countersigned during onboarding before any PHI is processed. A sample BAA is available on request from our compliance team.

The BAA covers the standard HIPAA-required terms: permitted uses and disclosures of PHI, safeguards, reporting of breaches, subcontractor flow-down, termination obligations, and return or destruction of PHI at contract end.

Administrative safeguards

Workforce members who can access PHI are limited to a minimum-necessary group. All workforce members complete HIPAA training annually. Access to production systems is role-based, logged, and reviewed quarterly. Departing workforce member access is revoked the same business day.

DIAL3D maintains written policies covering risk analysis, contingency planning, incident response, and security awareness. The risk analysis is refreshed annually and after material changes to the production environment.

Physical safeguards

DIAL3D production infrastructure runs on SOC 2-audited cloud providers (Cloudflare, AWS) with physical access controls maintained by those providers. DIAL3D does not operate any on-premises infrastructure that processes PHI.

Technical safeguards

PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256). Voice recordings, transcripts, and structured PHI are stored in customer-tenant-isolated storage. Customer tenants cannot read other customer tenants' data; this is enforced at the storage layer, not application-only.

Authentication to DIAL3D admin interfaces requires multi-factor authentication for every workforce member. Customer admin users may enforce MFA for their own users via SSO.

Audit logs record access to PHI by workforce members and customer users. Logs are immutable, time-synchronized, and retained for at least six years.

Breach notification

In the event of a Breach as defined by HIPAA, DIAL3D will notify affected customers without unreasonable delay and in any case within the timeframes specified in the BAA. We will provide the information required by 45 CFR § 164.404(c) to enable each affected customer to discharge its own notification obligations to patients and to HHS.

Retention and destruction

Default retention for voice recordings and transcripts is 90 days, configurable per-facility and per-customer. Customers may extend or shorten retention via the admin console. At contract termination, all customer PHI is returned to the customer or destroyed within 30 days, per the customer's election.

Subprocessors

DIAL3D uses a limited set of subprocessors to operate the service — primarily for telephony, speech-to-text, LLM inference, and infrastructure. All subprocessors that may handle PHI are themselves Business Associates with executed BAAs. The current subprocessor list is available on request and updated when material changes occur.

Audit and assurance

DIAL3D engages an independent third party for an annual HIPAA risk assessment. SOC 2 Type II is in progress; the report will be made available under NDA on completion (target Q3 2026). Customers may request a copy of the most recent HIPAA risk assessment summary under NDA.