Wavo Health — Security & Compliance Overview

In transit
All data is encrypted in transit using TLS 1.2 or higher (HTTPS). API and web communications are encrypted.

At rest
Sensitive data, including Protected Health Information (PHI), is encrypted at rest using strong encryption (e.g., AES-256 / AES-GCM) with secure key management.

Key management
Encryption keys are managed securely, and access is limited to authorized systems and personnel.

Authentication
Access to the Platform requires secure authentication. We use a trusted identity provider to support unique user identification, strong passwords, and session management.
Where supported, we offer multi-factor authentication (MFA) and single sign-on (SSO) for an additional layer of security.

Authorization
Access to data is scoped by user and organization. Users can access only the data they are authorized to use. We follow the principle of minimum necessary access.

Session security
Sessions are managed securely and can be configured to time out after a period of inactivity.

Audit logging
We maintain audit logs that record access to and use of sensitive data (e.g., document views and exports). Logs support security monitoring and compliance.

Retention
Audit and compliance-related records are retained in accordance with applicable law (for example, at least six years where required by HIPAA).

Privacy in logs
We avoid storing full sensitive or personal content in logs where it is not necessary for security or compliance.

Cloud hosting
The Platform runs in secure, cloud-hosted environments using providers that maintain strong physical and logical security controls.

Data location
Data may be processed or stored in Canada or the United States, with safeguards appropriate to each region.

Administrative, physical, and technical safeguards
We implement safeguards designed to protect the confidentiality, integrity, and availability of PHI, including access controls, authentication (with MFA and SSO where supported), encryption in transit and at rest, audit logging, and secure key management.
Our Platform operates in secure, cloud-hosted environments with strong physical and logical security controls.

Business Associate Agreements (BAAs)
We maintain written BAAs with vendors that create, receive, maintain, or transmit PHI on our behalf. These agreements require appropriate safeguards, incident reporting, and compliance with applicable law.
Our vendor management practices are documented and available in summary form on request. A list of subprocessors that may process personal or health data is available on request.

Breach notification
We have procedures for identifying, assessing, and responding to security incidents and for notifying affected individuals, the U.S. Department of Health and Human Services (HHS), and others where required by HIPAA breach notification rules.

Workforce training
We provide security and HIPAA awareness training to our workforce. Training is refreshed at least annually and completion is documented.

Risk analysis
We conduct periodic risk assessments to identify risks to PHI and implement security measures to reduce those risks to an acceptable level.

Patient rights
Our Notice of Privacy Practices describes how we use and disclose PHI and individuals’ rights, including access, correction, and the right to file a complaint with us or with HHS.
We support these rights in accordance with our policies and applicable law. We do not retaliate against individuals for exercising their privacy rights or for raising good-faith concerns.

No AI training on identifiable PHI
We do not use identifiable PHI for AI model training. Any use of data for model improvement is on an anonymized or de-identified basis, or with your explicit opt-in where offered (for example, for custom templates).

Contact
For HIPAA or security questions, or to request a policy or subprocessor list: [email protected] or [email protected].
Our Privacy and Security Officer (CEO) is responsible for our privacy and security program.

Data residency
Canadian privacy laws do not prohibit personal information from being stored outside of Canada when sufficiently protected. We process and store data in Canada or the United States with appropriate safeguards, including encryption, access controls, and audit logging.

Consent
We recommend that Canadian customers obtain consent from patients before using an AI scribe or documentation service that processes patient information. Customers are responsible for obtaining and documenting consent.
We can share consent best-practice guidance on request.

Breach notification
PIPEDA and certain provincial laws (including Quebec) include breach notification requirements. We maintain procedures for identifying, assessing, and responding to incidents and for notifying affected parties and regulators where required.

Accountability
We have designated a Privacy and Security Officer (CEO).
Contact: [email protected] or [email protected].
If you are in Canada and not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca

Retention
We retain personal information only as long as necessary for the purposes for which it was collected, unless a longer period is required by law (for example, audit logs retained at least six years where required by HIPAA).

Access and correction
You may request access to or correction of your personal information, and request export or deletion of your data, by contacting us.
For patient data held by clinicians, patients may contact their provider; we support providers in fulfilling these requests in accordance with law and contract.

Unauthorized use
We collect, use, and disclose personal information only as described in our Privacy Policy, Notice of Privacy Practices (where applicable), and contracts.
We do not use identifiable PHI for AI training, do not sell personal information or PHI, and maintain technical and organizational controls to protect record integrity.

Data ownership and control
You retain ownership of your data. You may request export or deletion in accordance with our policies and applicable law, including after your contract ends. You control your workspace and the data you create.

Data minimization
We collect and use only the data necessary to provide and improve the Platform and to meet legal obligations.

Retention
Data is retained in accordance with our retention practices and applicable law. Certain retention settings may be configurable within the Platform.

Deletion
Upon request and where required by law or contract, we can provide data exports or delete data in accordance with our policies.

No AI training on identifiable PHI
We do not use identifiable PHI for AI model training. Any use of data for model improvement is on an anonymized or de-identified basis, or with explicit opt-in where offered.

No sale of data
We do not sell personal information or PHI.

Privacy/Security Officer
We have designated a Privacy/Security Officer responsible for our privacy and security program.
Contact: [email protected] or [email protected]

Risk analysis
We conduct periodic risk assessments to identify risks to PHI and implement security measures to reduce those risks to an acceptable level.

Policies and training
We maintain written security and privacy policies and provide security and HIPAA awareness training to our workforce. Policies are reviewed periodically.

Incident response
We maintain procedures for identifying, assessing, and responding to security incidents and for notifying affected parties where required by law.

Privacy Policy
Describes how we collect, use, and protect personal information.

Notice of Privacy Practices
Describes how we use and disclose PHI and individuals’ rights.

Policies on request
Additional policies — including Breach Notification, Vendor Management, Information Security, and Data Protection — are available on request. See Policies Available on Request or contact [email protected] or [email protected].

Email: [email protected] or [email protected]

Website: https://wavo.health