Ad Vital logo — AI EMR for aesthetic practices
AI EMROverviewE-PrescribingFor PrescribersSecurity & HIPAAFAQContact
Security & HIPAA

Your patients' data is safe. Here's exactly how.

Ad Vital is HIPAA compliant, signs a BAA with every practice, and operates controls aligned with SOC 2, NIST 800-53, and DEA 21 CFR Part 1311 for EPCS. No compliance theater — here's what we actually do.

HIPAA & BAA

Ad Vital is a HIPAA Business Associate. We execute a Business Associate Agreement with every customer practice and operate a written Security Risk Analysis and Risk Management Plan refreshed annually.

Encryption

AES-256 at rest. TLS 1.2+ in transit, with HSTS enforced on all customer-facing endpoints. Database keys are rotated and managed in a FIPS 140-2 validated KMS.

Identity & Access

SAML/OIDC SSO available. Mandatory MFA for prescribers. Role-based access control. Just-in-time access for support engineers, fully audited and customer-revocable.

Infrastructure

Hosted in U.S.-region SOC 2 / ISO 27001 cloud regions. Tenant data is logically isolated. Daily encrypted backups with point-in-time recovery, tested quarterly.

Application Security

Secure SDLC, mandatory code review, SAST and dependency scanning in CI, third-party penetration testing annually. Critical vulnerabilities patched within 7 days.

Monitoring & Response

24/7 alerting on suspicious access patterns. Documented incident-response runbook with breach-notification timelines aligned to HIPAA and applicable state laws.

EPCS Compliance

EPCS done by the regulation, not around it.

Electronic Prescribing of Controlled Substances on Ad Vital is implemented through DoseSpot in accordance with 21 CFR Part 1311. Every prescriber who transmits a controlled-substance prescription has been identity-proofed, has enrolled a second authentication factor (FIDO security key or a TOTP authenticator app), and digitally signs each prescription before transmission.

Audit logs for EPCS prescriptions are retained for the period required by federal and state law, are protected against modification, and are exportable to authorized regulators on request. The two-factor authentication requirement is enforced by the platform — it cannot be bypassed by administrators.

Subprocessors

Every subprocessor is BAA-bound.

SubprocessorPurposeRegion
DoseSpot, Inc.E-prescribing & Surescripts transmissionUS
Plaud AIVoice capture & transcriptionUS
Amazon Web ServicesHosting, storage, KMSUS
Documo / EtherfaxHIPAA-compliant fax gatewayUS
Stripe, Inc.Subscription billing (no ePHI)US

Customers receive 30 days' notice before any new ePHI subprocessor is added.