We never receive Protected Health Information.
Slate OR analyzes the shape of appointments — procedure type, duration, time, day of week — not the patients themselves. Customer practices send us only de-identified appointment metadata. We do not receive patient names, dates of birth, medical record numbers, or any contact information for individuals receiving care. This is a permanent product constraint, not an aspiration.
Why we are not a Business Associate under HIPAA
The data Slate OR processes is de-identified under HIPAA's Safe Harbor standard (45 C.F.R. § 164.514(b)). Because the data does not identify, and cannot reasonably be used to identify, an individual, it is not Protected Health Information. Slate OR is therefore not a Business Associate as defined under 45 C.F.R. § 160.103, and a Business Associate Agreement (BAA) is not required for customer practices to use the service.
If your compliance team prefers a BAA as a belt-and-suspenders measure, contact hello@slateor.com and we'll discuss.
What we never collect
- Patient names
- Dates of birth
- Medical record numbers
- Patient contact information
- Diagnoses, notes, or clinical content
What we do collect
- Procedure type and duration
- Scheduled and actual appointment times
- Provider identity (clinician name)
- Cancellation, no-show, and new-patient flags
- Optional customer-generated pseudonymous patient ID
Security controls
Encryption
All customer data is encrypted in transit (TLS 1.2+) and at rest (AES-256, managed by our hosting and database providers).
Access control
Customer data is scoped per-practice. Authenticated requests are tenant-isolated. Production access is restricted to authorized personnel under least-privilege principles.
Audit logging
Authentication events, administrative changes, and data access are logged and retained for security review.
Data residency
Customer data is stored in United States regions across our hosting and database providers.
Compliance roadmap
A SOC 2 Type II audit is planned for 2026. Slate OR maintains a formal subprocessor list (below) and a documented incident-response procedure. Material changes to security posture are communicated to customers in advance.
Subprocessors
The following providers process customer data on Slate OR's behalf. None receive PHI; the data flows are limited to the de-identified scope described above.
| Provider | Purpose | Region |
|---|---|---|
| Vercel, Inc. | Application hosting | United States |
| Neon, Inc. | Postgres database | United States |
| Stripe, Inc. | Payment processing | United States |
| Google LLC (Workspace) | Email and productivity | United States |
Reporting a security concern
We welcome reports from researchers, customers, and the public. Email hello@slateor.com with details. We'll acknowledge within two business days and coordinate a fix and disclosure timeline.
Related documents
- Privacy Policy — what we collect and why.
- Data Processing Agreement — terms covering processing of customer data.
- Terms of Service — the customer agreement.