Security & Compliance for Healthcare Research

Production-grade baseline security and industry-aligned capabilities. We provide the controls and design—audit trail, no PHI in logs, encryption guidance, and RBAC—that support HIPAA-aligned workflows when the required BAAs and operational safeguards are in place. You remain responsible for your obligations, vendor agreements, and legal compliance.

BAA required for HIPAA-aligned workflows. Contact sales for details.

This page describes product capabilities and is not legal advice. Validate your use case with your compliance or legal team.

Compliance status summary

Quick reference for common compliance frameworks.
StandardStatusRequirements / Notes
HIPAAAvailable with signed BAABAA required with Twilio, email host, and cloud provider. Contact sales.
GDPRData processing addendum availableFor EU data subjects. Customer responsible for DPA with vendors.
FERPASupported via RBAC + audit logsCustomer must validate with legal or compliance team.

Security capabilities

What we build and operate so your scheduling data and participant information stay protected and auditable.

No PHI or PII in logs

  • Audit log stores only opaque resource IDs, action types, and non-identifying metadata.
  • Names, emails, phone numbers, and message content are excluded from application and audit logs.
  • Reduces exposure for healthcare and other regulated workflows.

TLS (HTTPS)

  • Traffic should be encrypted in transit for all production traffic.
  • Enforce TLS at the reverse proxy or load balancer.
  • Redirect HTTP to HTTPS in production.

Role-based access control (RBAC)

  • Roles include admin, super_admin, and patient.
  • Supports least-privilege access and access reviews.
  • Teams can limit who manages events, participants, and communications.

Audit trail

  • Every create, update, and delete action is recorded with opaque resource IDs and action types.
  • Supports accountability, investigations, and compliance reviews.
  • No PHI appears in the audit trail; your team maps resource IDs internally when needed.

Encryption at rest

  • Enable encryption at rest in your MongoDB provider or cloud database.
  • Store JWT, Stripe, and API keys in a secrets manager.
  • Secrets are injected at runtime and never committed or logged.

Retention and deletion

  • Define and document a retention policy for participant and appointment data.
  • Implement deletion or anonymization with scheduled jobs or admin tools.
  • Apply the same policy to backups and audit logs.

Industry standards and how we support them

The summary above is a quick reference. This section expands on how the same baseline controls map to healthcare, education, events, and professional services. You remain responsible for vendor agreements, legal review, and operational enforcement.

HIPAA

Healthcare (US)

Clinics, hospitals, research studies, patient or participant scheduling.

When handling PHI: sign BAAs with Twilio (SMS/voice), Vapi (if used), email provider, and cloud host. Use encryption at rest, enforce TLS, rely on audit log (opaque IDs), and RBAC. Product provides no PHI in logs, audit trail, and access control; you and the operator complete the checklist.

FERPA considerations

Education (US)

Classes, advising, parent-teacher appointments, student data.

Minimal PII in logs, access control, and retention policies. Same product capabilities: audit log, RBAC, no sensitive data in application logs. You validate FERPA or equivalent with your compliance or legal team.

Data privacy, GDPR considerations

Events & professional services

Conferences, workshops, consulting, salons, B2B appointments.

Consider data privacy (e.g. GDPR if processing EU data), consent for marketing/reminders, and retention/right-to-deletion. Audit log, RBAC, and absence of sensitive data in logs support these goals. You sign data-processing agreements with vendors as required.

Baseline security

General / multi-industry

Any use case requiring appointment or event scheduling with invites and reminders.

TLS, encryption at rest, audit trail, and configurable retention apply to all. Validate your use case with your compliance or legal team.

Operational checklist (when handling healthcare PHI)

For operators and customers handling protected health information, the following should be in place.

  • BAAs in place with all relevant services: Twilio (SMS/voice), Vapi (if used), email provider (SMTP/SendGrid), and cloud host (AWS/GCP/Azure)
  • TLS enforced at proxy or load balancer; no HTTP in production
  • MongoDB (or host) encryption at rest enabled in the provider console
  • NODE_ENV=production in production; no PHI in application or audit logs
  • Retention and deletion policy documented and implemented as needed (including backups and audit logs)

For non-healthcare industries, apply the same baseline (TLS, encryption, audit, retention) and follow your jurisdiction’s data-processing and vendor requirements.

Vendors and BAAs

SlotWise Pro integrates with third-party services for SMS, voice, email, and payments. When you or the operator handle PHI or other regulated data, sign Business Associate Agreements (or equivalent data-processing agreements) with:

  • Twilio – SMS and voice (IVR)
  • Email provider – SMTP or SendGrid (or equivalent)
  • Vapi – If using AI voice / IVR Automation
  • Cloud host – AWS, GCP, Azure, or your hosting provider

See our documentation for environment variables and configuration. Customers are responsible for their own BAAs and vendor compliance.

Ready to get started?

Audit-friendly scheduling workflows for US teams. No credit card required for trial.

Start free trial