Security & compliance
Annalis handles sensitive medical records and attorney work product. Security isn’t a feature — it’s the foundation everything else is built on.
Compliance
All data handling, storage, and transmission meets HIPAA requirements for protected health information. We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule.
We execute Business Associate Agreements with all covered entities. Our BAA covers the storage, processing, and transmission of PHI through the Annalis platform.
Before any medical record is processed by AI, patient identifiers are automatically stripped: SSN, MRN, date of birth, phone numbers, email addresses, and other PII. The AI never sees unredacted PHI.
All case analyses are generated as attorney work product and protected under attorney-client privilege. Access controls ensure only authorized parties can view case materials.
Data security
All data transmitted between your browser and our servers is encrypted using TLS 1.2+ with 256-bit AES encryption. API communications use the same standard.
All stored data — documents, analysis results, case information — is encrypted at rest using AES-256 encryption. Database backups are encrypted using the same standard.
Medical records sent to our AI analysis engine are processed in memory and not retained after analysis is complete. We do not use your data to train AI models. Your records are never shared with third parties.
Role-based access controls ensure attorneys only see their own cases, and experts only see cases explicitly shared with them. All shared access is gated behind email verification and confidentiality acknowledgment.
Annalis runs on enterprise-grade cloud infrastructure with SOC 2 certified hosting providers. Database and file storage are isolated and access-controlled with audit logging.
User authentication is handled by Clerk, an enterprise identity provider supporting MFA, SSO, and OAuth. We do not store passwords. Session tokens are short-lived and cryptographically signed.
Data handling practices
PDFs are uploaded directly to encrypted storage. Text extraction occurs server-side. Original files are retained for attorney access but never shared beyond authorized parties.
Extracted text is sent to our analysis engine with PHI redacted. Analysis results are stored and associated with the case. Raw text is not retained after processing.
When a case is shared with an expert, they receive access through a time-limited, email-verified link with confidentiality acknowledgment. Access can be revoked at any time by the attorney.
Attorneys can delete individual documents or entire cases. Deleted data is permanently removed from active storage. Contact us for full account deletion and data export requests.
We’re happy to answer questions about our security practices, provide our BAA, or discuss specific compliance requirements for your firm.
security@annalis.ai →