Twofold Health is built for healthcare providers. Every part of how we handle data reflects the sensitivity of the work you do.
BAA included · Audio never stored · US infrastructure Twofold Health signs a Business Associate Agreement with every healthcare organization that uses the platform. Our BAA covers breach notification, data residency on US infrastructure, subprocessor obligations, and breach cost responsibility.
Get our BAATwofold Health is hosted on Microsoft Azure and Google Cloud Platform (GCP), running across both providers for redundancy and resilience. We maintain formal HIPAA BAAs with both Microsoft and Google, and all data is stored and processed in US-based data centers. Both platforms provide enterprise-grade availability, security controls, and compliance standards.
All protected health information processed and stored by Twofold Health is hosted exclusively on United States-based infrastructure. We do not transfer or store PHI outside of the United States.
Session recordings are never stored on our servers. Audio is processed to generate a transcript and note, then immediately deleted. No recording is written to disk at any point. Summarized notes are retained as part of the clinician's workflow and can be deleted at any time. Upon termination of the agreement, all PHI is returned or destroyed in accordance with our BAA.
No one at Twofold Health can access your session transcripts, clinical notes, or patient names. Support can help with account and technical questions without ever seeing your clinical content.
We do not use your data to train AI models - not ours, not anyone else's. Protected health information is explicitly excluded from AI training.
All data is encrypted in transit and at rest using industry-standard protocols. Patient information is encrypted at every point in the system - from capture through storage.
All subprocessors who handle PHI on our behalf are required to sign BAAs with Twofold and are regularly assessed for HIPAA compliance. They are bound by the same confidentiality and data protection obligations as Twofold Health. Written certification is available upon request.
Twofold maintains a written information security program that includes administrative, technical, and physical safeguards. All team members complete annual HIPAA security training. Pre-employment background checks are required for all staff. Periodic risk assessments are conducted to ensure policies remain effective. Privacy and security oversight is led by our CTO.
Twofold Health is currently undergoing SOC 2 Type II certification covering Security, Availability, and Confidentiality, in partnership with Sprinto. The audit will be conducted by an independent AICPA-certified firm. We will share the report upon completion.
The questions clinicians ask most when evaluating an AI scribe on privacy and compliance.
No — recordings are never stored on our servers. Here's how audio is handled:
No. Your data is never used for AI training:
Yes. We sign a BAA with every healthcare organization that uses Twofold. It covers:
You can request a copy by emailing info@trytwofold.com.
All PHI is hosted exclusively on US-based infrastructure. Specifically:
For security questions, compliance documentation, or vendor assessments, reach out directly.