For IRB offices & research coordinators
HIPAA-aware scheduling — built for healthcare research
SlotWise Pro is designed from the ground up for research and clinical teams that operate under HIPAA. Audit log with no PHI stored, consent recording, right-to-delete, RBAC, and BAA-ready infrastructure. This page documents exactly what data we store, where it lives, and what controls are in place.
BAA available upon request on Professional and IVR Automation plans. Contact fullstack.manmohan@gmail.com to initiate.
This page describes product capabilities and is not legal advice. Validate your specific use case with your compliance or legal team.
Audit log, RBAC, consent recording, right-to-delete, TLS, and encryption at rest are all implemented. BAA available upon request on Professional and IVR Automation plans. Customer is responsible for signing BAAs with all relevant vendors and completing operational safeguards.
Right-to-delete and right-to-access (data export) endpoints support GDPR erasure and access requests. Data processing addendum available on request. Customer is responsible for DPA with all processors.
Access control, audit trail, and minimal PII in logs support FERPA-compliant workflows. Customer must validate with legal or compliance team.
Built-in compliance capabilities
What is implemented and active in the product today — not roadmap items.
Audit log — no PHI stored
Every create, update, delete, export, and consent action is recorded with opaque resource IDs and action types — never names, emails, or appointment details. Exportable as CSV from the dashboard.
Role-based access control (RBAC)
Three roles: admin, super_admin, and patient. Supports least-privilege access. Team members can be scoped to event management without org-wide access.
Consent recording
Record study participation, data-sharing, and other consent types per participant from the event detail page. Consent records include type, version, and timestamp. Accessible via API.
Right-to-delete (erasure)
Hard-delete a participant and all associated records (contact, appointments, consent, tokens, event links) from six collections in one operation. Accessible via the Participants page and API.
Data export (right-to-access)
Export all data held for a specific participant — contact, appointments, consent records, event links — as a structured JSON response. Available on Professional+ plans.
TLS in transit
All traffic runs over HTTPS. TLS is enforced at the reverse proxy for production deployments. HTTP is redirected to HTTPS.
Encryption at rest
MongoDB Atlas encryption at rest is enabled at the provider level (AES-256). Secrets (JWT, Stripe keys, Twilio credentials) are injected at runtime via environment variables — never committed or logged.
Data retention policy
Automated retention and scheduled deletion are not yet implemented. Customers should define a retention policy and use the right-to-delete API to purge participant data per their own schedule.
What data we store and where
Full inventory of data categories, storage location, and PHI classification. All data is stored in MongoDB Atlas — US region (us-east-1 or us-west-2) unless otherwise noted.
| Category | What is stored | Where | Contains PHI? | Notes |
|---|---|---|---|---|
| Scheduling data | Event definitions, availability windows, time slot assignments | MongoDB Atlas — US region (us-east-1 or us-west-2) | No PHI | No participant names, emails, or phone numbers stored in event records. |
| Participant records | Opaque participant ID, optional name, email, phone (contact collection) | MongoDB Atlas — US region | May contain PHI | The contact collection is isolated. Audit log references only the opaque participant ID — never name, email, or phone. |
| Appointment / confirmation records | Appointment ID, slot, status (scheduled / cancelled), channel | MongoDB Atlas — US region | No PHI | Linked to participant via opaque ID. No identifying fields in the appointment document. |
| Consent records | Consent type, version, participantId (opaque), timestamp | MongoDB Atlas — US region | No PHI | Records that a consent was given. The name of the participant is not stored in the consent collection. |
| Audit log | Action type, resource ID (opaque), actor ID, timestamp | MongoDB Atlas — US region | No PHI | Strictly no PHI. Names, emails, phone numbers, and message content are never written to the audit log. |
| SMS / voice | Message content in transit (Twilio sub-account) | Twilio infrastructure — US region | May contain PHI | BAA required with Twilio when messages may include PHI. SlotWise Pro templates are configurable; avoid including PHI in message text. |
| Invite and reminder emails | SendGrid / configured SMTP provider | May contain PHI | BAA required with email provider when messages may include PHI. | |
| Application logs | Request paths, error messages (no body content) | Application server / cloud provider | No PHI | Request bodies are never logged. Error messages are sanitised before logging. |
BAA availability — vendor-by-vendor
SlotWise Pro itself offers a BAA available upon request on Professional and IVR Automation plans. The following sub-processors must also have BAAs in place before handling PHI.
| Vendor | Purpose | BAA availability | Required for PHI? |
|---|---|---|---|
| Twilio | SMS invites, voice reminders, IVR confirmations | Available — sign directly with Twilio | Required |
| SendGrid / SMTP | Email invites and reminders | Available — sign with your email provider | Required |
| MongoDB Atlas | All scheduling, participant, and audit data | Available — sign with MongoDB | Required |
| Cloud host (AWS / GCP / Azure) | Application and database hosting | Available from all major cloud providers | Required |
| Vapi | AI voice / IVR Automation (optional, IVR plan only) | Available on request from Vapi | Not required |
| Stripe | Billing / subscription management only — no PHI | Not required (no PHI processed) | Not required |
Pre-go-live checklist (healthcare PHI workflows)
This checklist covers the steps that must be completed before using SlotWise Pro to schedule workflows involving protected health information.
- Sign BAA with Twilio (SMS/voice), your email provider, MongoDB Atlas, and your cloud host before go-live
- Enable MongoDB Atlas encryption at rest in the provider console
- Enforce TLS at the reverse proxy; no HTTP in production
- Set NODE_ENV=production; confirm no PHI appears in application or audit logs
- Define and document a data retention and deletion policy for participant records
- Configure workforce access using RBAC — assign the minimum roles needed
- Review Twilio and email message templates to ensure PHI is not included in message text
- Train workforce on acceptable use and incident response per your HIPAA Security Rule obligations
- Validate with your compliance or legal team before collecting or processing PHI
Not on this checklist: SlotWise Pro does not yet have automated data retention / scheduled deletion. Define a retention policy and use the right-to-delete API manually until automation is available.
Policies and further reading
Privacy Policy
How we collect, use, and protect personal data.
Cookie Policy
What cookies we set and how to manage them.
Acceptable Use Policy
Prohibited uses and conduct standards.
Terms of Service
Service terms, SLA, and liability.
Pricing — HIPAA Pack
Professional+ plans with HIPAA Pack add-on pricing.
Contact / BAA request
Email us to initiate a BAA or compliance review.
Ready to schedule your first research cohort?
Start a free trial or contact us to begin the BAA process and schedule a compliance walkthrough.