Twofold Health is built for healthcare providers. Every part of how we handle data reflects the sensitivity of the work you do.
BAA included · Audio never stored · US infrastructure Twofold Health signs a Business Associate Agreement with every healthcare organization that uses the platform. Our BAA covers breach notification, data residency on US infrastructure, subprocessor obligations, and breach cost responsibility.
Get our BAATwofold Health is hosted on Microsoft Azure. We have a formal HIPAA BAA in place with Microsoft, and all data is stored and processed in US-based Azure data centers. Azure's infrastructure provides enterprise-grade availability, security controls, and compliance standards.
All protected health information processed and stored by Twofold Health is hosted exclusively on United States-based infrastructure. We do not transfer or store PHI outside of the United States.
Session recordings are never stored. Audio is processed in real-time to generate a transcript and note, then immediately deleted. No recording is written to disk at any point. Summarized notes are retained as part of the clinician's workflow and can be deleted at any time. Upon termination of the agreement, all PHI is returned or destroyed in accordance with our BAA.
No one at Twofold Health has access to session transcriptions or clinical notes. The only exception is our support team, and only after receiving explicit approval from the clinician who owns the note. Access is logged and auditable.
We do not use your data to train AI models — not ours, not anyone else's. Protected health information is explicitly excluded from AI training.
All data is encrypted in transit and at rest using industry-standard protocols. Patient information is encrypted at every point in the system — from capture through storage.
All subprocessors who handle PHI on our behalf are required to sign BAAs with Twofold and are regularly assessed for HIPAA compliance. They are bound by the same confidentiality and data protection obligations as Twofold Health. Written certification is available upon request.
Twofold maintains a written information security program that includes administrative, technical, and physical safeguards. All team members complete annual HIPAA security training. Pre-employment background checks are required for all staff. Periodic risk assessments are conducted to ensure policies remain effective. Privacy and security oversight is led by our CTO.
Twofold Health is currently undergoing SOC 2 Type II certification covering Security, Availability, and Confidentiality, in partnership with Sprinto. The audit will be conducted by an independent AICPA-certified firm. We will share the report upon completion.
For security questions, compliance documentation, or vendor assessments, reach out directly.