LimitedFree AI Scaling Call for Med Spas

Security & Compliance

Last updated: April 1, 2026

Protecting your Med Spa data with HIPAA-compliant infrastructure built on SOC 2 Type 2 certified platforms, secured by Business Associate Agreements.

1. Our Compliance Posture

MedSpas.AI (Nick Dan Consulting LLC) operates as a HIPAA Business Associate for Med Spa clients. We implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI) in accordance with 45 CFR Parts 160 and 164.

Client engagements involving Protected Health Information are governed by a Business Associate Agreement (BAA) that defines our obligations for safeguarding patient data before any data processing begins.

Our managed service infrastructure is built on platforms that maintain their own HIPAA compliance programs, maintain BAAs with us, and hold independent SOC 2 Type 2 certifications. All client data runs on SOC 2 Type 2 certified infrastructure. Self-hosted components (workflow automation, speech processing) run on SOC 2 Type 2 certified AWS infrastructure.

2. Infrastructure Partners & Certifications

Amazon Web Services (AWS)

AI processing (Bedrock), text-to-speech (Polly), workflow hosting.

  • SOC 2 Type 2 certified
  • ISO 27001 certified
  • HIPAA eligible services with BAA
  • FedRAMP authorized

Supabase

Database, authentication, file storage.

  • SOC 2 Type 2 certified
  • HIPAA compliant with BAA executed
  • Data encrypted at rest and in transit

Vercel

Website and dashboard hosting.

  • SOC 2 Type 2 certified
  • ISO 27001 certified
  • HIPAA compliant with BAA executed
  • PCI DSS certified
  • All traffic encrypted via TLS

Twilio

SMS and voice communication (Security Edition).

  • SOC 2 Type 2 certified
  • HIPAA compliant with BAA executed

Paubox

HIPAA-compliant encrypted email.

  • HITRUST CSF certified
  • SOC 2 Type 2 certified
  • HIPAA compliant with BAA executed
  • All outbound email encrypted seamlessly

Deepgram

Speech-to-text processing for voice AI.

  • SOC 2 Type 2 certified
  • BAA executed

Stripe

Payment processing.

  • SOC 2 Type 2 certified
  • PCI DSS Level 1 certified
  • No PHI stored in Stripe. Patient identifiers are opaque UUIDs only. Subscription descriptions use generic terms.

3. What This Means for Your Med Spa

  • Data isolation. Each client operates in a isolated Supabase environment with Row Level Security (RLS) enforced on all tables containing patient data.
  • Encryption everywhere. Data is encrypted at rest in the database and in transit via TLS for all connections.
  • Audit logging. All access to patient data is recorded in an append-only audit log for compliance reporting.
  • No PHI in AI training. Patient data sent to AWS Bedrock for AI processing is not used to train models and does not leave your AWS account boundary.
  • Multi-factor authentication. MFA is enforced on all administrative accounts and enforced for all portal users accessing patient data.
  • Incident response. We maintain a documented incident response plan with breach notification procedures that comply with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

4. SOC 2 Statement

MedSpas.AI is built on SOC 2 Type 2 certified infrastructure. All managed service vendors in the MedSpas.AI stack maintain their own independent SOC 2 Type 2 certifications. Self-hosted open-source components run on SOC 2 Type 2 certified AWS infrastructure. AWS, Supabase, Vercel, Twilio, Paubox, Deepgram, and Stripe each maintain independent SOC 2 Type 2 audit reports covering Security, Availability, and Confidentiality trust service criteria.

Our infrastructure partners' SOC 2 reports are available upon request through their respective trust centers. We are happy to assist with vendor security questionnaires related to our technology stack.

5. Questions?

For compliance inquiries, security questionnaires, or to request a copy of our Business Associate Agreement, please contact us.

Privacy PolicyTerms of Service