AveoDent

Security & Compliance

Your patients' data, treated like ours.

AveoDent was built from day one to handle protected health information. That means HIPAA-aligned infrastructure, encryption everywhere, an audit log on every PHI access, and a signed Business Associate Agreement with your practice. No marketing-speak shortcuts — every claim on this page maps to a specific control we can show you on a call.

How we protect PHI

Six controls, no warranty language.

HIPAA isn't a certification you can buy — it's a set of safeguards you build into the product. Here's what we built into ours.

HIPAA-aligned by design

We sign a Business Associate Agreement (BAA) with every practice. Every part of the system that touches patient data was built to meet HIPAA's technical safeguards — access controls, audit controls, integrity, transmission security, and PHI safeguards.

Encrypted in transit and at rest

All traffic to AveoDent runs over TLS. Patient data sits on encrypted-at-rest storage. Sensitive fields (insurance numbers, signatures) get an additional layer of application-level encryption.

Every PHI access is logged

Audit logging is enforced at the service layer, not the route layer — a new caller cannot bypass it. We log who accessed what patient record, when, from what IP, and whether the access succeeded or was denied. Logs are retained per HIPAA requirements.

Multi-tenant isolation

Your practice's data is segregated from every other practice on AveoDent at the application and database query layer. Every internal query is scoped by organization. Cross-tenant access is a class of bug we test for explicitly with automated guardrails.

AI runs on infrastructure with a HIPAA BAA

Our AI-assisted features (clinical insights, X-ray analysis, document parsing) run on cloud infrastructure with HIPAA BAA coverage. We do not send patient data to consumer AI APIs. Where required, data is de-identified per HIPAA Safe Harbor before processing.

Breach notification workflow built-in

If we ever detect unauthorized access, we have a documented internal workflow for notification per 45 CFR §§ 164.400-414 — including impact assessment, customer notification, and regulator reporting.

What this looks like in the product

Specifics, not slogans.

Access controls

  • ·Custom JWT session tokens with HttpOnly cookies — not stored in browser-accessible storage
  • ·Role-based permissions (Dentist / Hygienist / Assistant / Front Office) with owner flag
  • ·Optional multi-factor authentication (SMS-based OTP) per organization
  • ·SAML 2.0 SSO support for multi-location practices and DSOs
  • ·Per-IP and per-user rate limiting on authentication endpoints

Audit trail

  • ·Service-layer logging of every PHI read and write — captures user, organization, IP, user agent, success or failure
  • ·Separate Aveo-admin audit log — internal support actions are logged distinctly from practice activity
  • ·Permission-denied events recorded automatically by the authorization layer
  • ·Audit logs are append-only and retained per HIPAA timeframes

Data handling

  • ·You own your data. Export available at any time.
  • ·No re-selling, no third-party sharing, no advertising use of patient data — ever.
  • ·AI features process the minimum data needed and de-identify where Safe Harbor applies.
  • ·Patient-facing portal authentication is separate from staff authentication to limit blast radius.

Infrastructure

  • ·Hosted on enterprise cloud infrastructure with SOC 2 / ISO 27001 attested provider
  • ·Daily encrypted backups with point-in-time recovery
  • ·Application-level migration safety: data import runs in dry-run preview before commit, with a reconciliation report you review
  • ·Re-authentication required for destructive actions (permanent delete, mass operations)

What we're honest about

Where we are, where we're going.

We run a continuous in-house HIPAA + SOC 2 control scan over our codebase that flags missing audit logs, broken tenant isolation, and any code that could leak PHI. It catches drift before it ships. Today every control on this page passes.

We do not yet hold a third-party SOC 2 Type II attestation. That work is underway and on the near-term roadmap. Until then, the BAA and the concrete control list above are what we have to offer — and we think that's more useful than a generic "HIPAA compliant" badge.

If you have a security questionnaire, send it. We'll answer every question with a specific control or be honest about a gap.

Security & Compliance | AveoDent