Security

Thyra Health is built on HIPAA-aligned infrastructure on Google Cloud. All PHI is encrypted in transit and at rest. Every action against a patient record is auditable. Access is role-based and least-privilege by default.

Audit trail per sentence

The Longitudinal AI Scribe records the source of every clinical statement it generates. Click any sentence in a note and see the exact audio segment, lab value, prior note, or visit history it came from. No black box.

Subprocessors and infrastructure

Thyra runs on Google Cloud Platform. We do not use AWS as a subprocessor. Tidepool is a subprocessor for device data. Cal.com is a subprocessor for booking. Plausible is a subprocessor for privacy-preserving analytics with no personal identifiers.

Compliance and Business Associate Agreement

A standard Business Associate Agreement is available for every customer handling PHI. SOC 2 Type II is in progress, targeting Q2 2026. HIPAA technical, administrative, and physical safeguards are in place from day one.

Identity and access

Single sign-on supported. Multi-factor authentication enforced for all clinical users. Session timeouts and IP-based access controls are configurable per practice.

Data ownership and portability

Your data is yours. Full export in standard formats (FHIR for clinical data, CSV for everything else) is included at no charge. Cancel any time and take your data with you. No legal escalation.