Compliance
BAA & safeguards
Your Business Associate Agreement status and the technical controls that back it. Demo numbers — production ships with a signed BAA and matching attestations.
Signed 2026-04-01 on behalf of CoreForge Chiropractic by Dr. Nikki Kidd. Template v2026.1.
Agreement
Signed ✓
Counter-signed by Align.ai, Inc.
Effective date
2026-04-01
Auto-renews annually
Last attestation
2026-03-15
Next review due 2026-09-15
Each item maps to a specific obligation in your BAA.
| Control | Status | Detail |
|---|---|---|
| Encryption in transit | Active | TLS 1.3 enforced at Vercel edge and Supabase. |
| Encryption at rest | Active | AES-256 via Supabase Postgres + S3 (Anthropic cache). |
| Row-level security (tenant isolation) | Active | Clerk JWT practice_id claim gates every table. |
| Universal MFA | Active | Enforced for all provider accounts via Clerk. |
| Comprehensive audit logging | Active | Every AI call logged to audit_log (7-year retention). |
| AI: no PHI used for base-model training | Active | Anthropic Zero-Data-Retention via Bedrock equivalent. |
| Subcontractor flow-down BAAs | Active | Anthropic, Supabase, Clerk, Vercel, Deepgram all BAA-eligible. |
| Breach notification readiness | Active | 30-day notification target (45 CFR 164.410). Template: compliance pack. |
| Annual penetration test | Planned | Scheduled post-GA with 3rd-party firm. |
| SOC 2 Type II | Planned | Observation window begins at 50-practice threshold. |
Anthropic (Claude)
Clinical reasoning + SOAP generation
BAA On file
Deepgram
Medical ASR (transcription)
BAA On file
Supabase
Postgres + Storage + RLS
BAA On file
Clerk
Authentication + user directory
BAA On file
Vercel
Application hosting / edge
BAA On file
AWS (indirect)
Backing infra for Bedrock / S3
BAA Via Anthropic + Supabase