Security & compliance

Built for medical records from day one.

RecordFlow handles protected health information (PHI), so the security model has to be exact, not marketing language. Here is precisely what is true today.

Your files are auto-deleted in 30 days

The records you upload and the organized output RecordFlow generates are automatically and permanently deleted 30 days after processing. This is a fixed storage-lifecycle rule, not a policy you have to remember to invoke — download and save what you need within that window.

Encrypted in transit and at rest

Files are transferred over TLS and stored encrypted at rest using AWS Key Management Service (KMS) managed keys.

Strict per-account access control

Every access to a case's records, status, or files is gated by an ownership check tied to your account — a request for a case you don't own is rejected before any data is returned.

Never used to train AI models

Your records are read only to organize your case. They are never used to train any AI model, by us or by our AI provider.

Processed under HIPAA BAAs

Records are processed only on cloud infrastructure covered by signed Business Associate Agreements — AWS (hosting and OCR) and Google Cloud (Vertex AI). No record is ever sent to a service that isn't covered by a BAA.

What we don't claim

RecordFlow runs on a single, shared cloud account — we don't claim a dedicated environment or physical separation per firm. Isolation between customers is enforced in software: every record request is checked against your account before anything is returned, as described above.

Need a BAA for your firm?

A Business Associate Agreement is available on request. Email support@s2reason.com and we'll set one up for your firm.