Enterprise security. Practice simplicity.
HIPAA compliant from day one, AWS infrastructure, AES-256 encryption, automatic daily backups, and two-factor authentication — with a BAA signed for every practice.
HIPAA compliant. From day one.
Every Ayla account comes with a signed Business Associate Agreement. All patient data is handled in strict accordance with HIPAA requirements — access controls, audit logs, encryption, and breach notification procedures all built in.
- Signed BAA with every practice
- Access controls and audit logs
- Breach notification procedures
- Staff access logging
- HIPAA compliant data storage
- Annual security review
HIPAA Compliance
BAA included, audit logs, and full HIPAA compliant architecture
AWS Infrastructure
Enterprise-grade cloud — no local server needed
Built on the cloud the world trusts.
Ayla runs on Amazon Web Services — the same infrastructure trusted by Netflix, NASA, the CIA, and thousands of healthcare organizations. No local server to maintain, no IT staff needed, no server crashes on a Monday morning.
- AWS infrastructure — enterprise grade
- No local server required
- 99.9% uptime SLA
- Automatic failover
- Multi-region redundancy
- SOC 2 compliant hosting
Replaces: Local server infrastructure, IT maintenance costs
Your data is safe. Always.
All data in Ayla is encrypted with AES-256 — at rest and in transit. Automatic daily backups mean your patient data is never at risk. Point-in-time recovery available. Your data is yours — full export available anytime.
- AES-256 encryption at rest
- TLS encryption in transit
- Automatic daily backups
- Point-in-time recovery
- Full data export on request
- Data ownership — always yours
Encryption & Backups
AES-256 encryption and automatic daily backups
Only the right people get in.
Two-factor authentication, role-based access control, and session management ensure that only authorized staff can access patient data — and only the data relevant to their role.
- Two-factor authentication
- Role-based access control
- Session timeout settings
- Failed login attempt monitoring
- Password policy enforcement
- Audit log of all access
Two-Factor Authentication
2FA, role-based access, and session management
Built secure. Actively hardened.
Ayla has completed a full Security Risk Analysis and is actively remediating all findings. Here is exactly what we have implemented — because transparency builds trust.
bcrypt Password Hashing
All user passwords are hashed using bcrypt with adaptive cost factor — the industry standard for secure password storage. Plain-text passwords are never stored or logged.
AES-256 SSN Encryption
Social Security numbers and other high-sensitivity identifiers are encrypted at the field level using AES-256 — separate from the database-level encryption, providing defense in depth.
XSS Protection in Clinical Notes
All user-generated content including clinical notes, form responses, and messages is sanitized to prevent cross-site scripting (XSS) attacks — protecting against malicious code injection.
S3 Encryption for File Storage
All uploaded files — x-rays, documents, attachments — are stored in AWS S3 with server-side encryption (SSE-S3). Files are encrypted at rest and in transit.
Secrets Removed from Codebase
All API keys, credentials, and secrets have been removed from the codebase and migrated to environment variables managed through secure infrastructure — never committed to version control.
Concurrency Hardening
Database transactions use optimistic locking to prevent race conditions and data corruption — ensuring data integrity even during simultaneous access by multiple users across operatories.
Audit Logging via tRPC Middleware
Comprehensive audit logging on every mutation and key ePHI read via tRPC middleware — every access to protected health information is recorded with user, timestamp, and action for full HIPAA accountability.
Security Risk Analysis Complete
A full HIPAA Security Risk Analysis has been completed covering administrative, physical, and technical safeguards — with active remediation of all identified findings and ongoing risk management documented in our SRA.
Tested in Production Daily
Every security measure is validated in a live clinical environment at North Star Pediatric Dentistry — real patients, real data, real workflows — before reaching any other practice.
Most dental software vendors do not disclose their security implementation details. We do — because practices deserve to know exactly how their patient data is protected.
Ready to see Ayla in action?
Book a personalized demo and see how Ayla can transform your practice.