Jeong
Security & compliance

PHI protection is the product, not a feature.

Jeong is built and operated for HIPAA-covered clinical use on Google Cloud Platform, under a business associate agreement. Below is a summary of how we protect protected health information. Full compliance documentation is available on request.

Technical safeguards

Controls that protect every note.

Encryption everywhere

AES-256 encryption at rest for databases, storage, and backups. TLS on every connection, browser to backend to storage. Database access is SSL-only.

De-identification before drafting

Identifiers are stripped from transcripts and notes before AI drafting, reducing the PHI exposed to downstream processing.

Least-privilege access

Per-record, owner-scoped PHI access in the application. Least-privilege service accounts, managed secrets, and per-IP rate limiting on the public API.

Multi-factor authentication

TOTP-based MFA is supported and can be required across the workforce, with a server-side enforcement gate.

Audit logging

Cloud Audit Logs on PHI-handling services route to a dedicated log bucket with 6-year retention, reviewed on a defined cadence.

Data retention & disposal

Configurable retention with a scheduled purge job. Uploaded audio auto-deletes on a 24-hour lifecycle; encrypted backups roll off automatically.

Compliance program

A documented HIPAA program behind the app.

We maintain the administrative, physical, and technical safeguards required by the HIPAA Security Rule. The following are maintained and available for review under NDA:

  • Information security policy and HIPAA Security Rule safeguards
  • Security risk analysis and risk management plan
  • Incident response and breach-notification procedures
  • Contingency and disaster-recovery planning
  • Workforce access management and least-privilege matrix
  • Security awareness training and a sanction policy
  • A designated Security Official and audit-log review procedure

Infrastructure & sub-processors

Jeong runs on Google Cloud Platform for hosting, storage, database, speech-to-text, and generative AI, in U.S. regions, under a business associate agreement. A current sub-processor list is available on request.

Your BAA comes first

You may not submit PHI until a BAA between your organization and Inyeon LLC is in effect. We execute BAAs before any clinical use. Reach out and we'll get one in place.

Consent is built into the workflow

Recording is subject to federal and state consent laws. Jeong confirms consent before processing, but obtaining the consents required in your jurisdiction remains your responsibility.

Questions about our security posture, sub-processors, or compliance documentation?

Email team@inyeon.dev