Security & HIPAA
Mesio handles audio, transcripts, perio data, and clinical notes for dental practices. Here's how we protect that data — what we do today, what's in flight, and what we'll never do.
01Our HIPAA posture in one paragraph
Mesio AI Inc. operates as a Business Associate under HIPAA when a dental practice uses our Services to record, transcribe, or otherwise process protected health information (PHI). We sign a Business Associate Agreement (BAA) with every practice before any PHI flows through the Service. The BAA is the canonical document that governs how we handle PHI; the Privacy Policy covers everything else (account information, billing, support communications). If you'd like the current BAA template before signing up, email legal@mesio.ai.
02What we protect, where
All traffic between your browser, the Mesio Bridge, the browser extension, and the Mesio cloud is encrypted with modern TLS. Audio recordings, transcripts, and generated charts are encrypted at rest with managed keys. Database and object-storage backups are encrypted with the same standard and retained for the windows defined in the BAA.
03Who can see what
Mesio enforces role-scoped access so the right people see the right data:
- Clinicians (dentists, hygienists) see clinical data — charts, notes, perio, audio for their patients within their practice.
- Reception sees scheduling and patient contact information — not clinical content.
- Owners and admins can manage memberships and billing within their practice; they don't get blanket clinical access across other practices.
- Practices are isolated from each other. A user in Practice A cannot read or write data belonging to Practice B, full stop. Tenant isolation is enforced at the database query layer, not in application code.
- Mesio staff never browse customer PHI as a matter of course. Access for support troubleshooting is logged and requires customer permission.
04Audit log
Every meaningful event — note created, note signed, note edited, audio file uploaded, assistant turn, role granted, membership changed — is recorded to an append-only audit log within the practice's tenant. Signed notes are locked: subsequent AI-assisted edits are tracked with a visible diff against the signed version. The audit log survives a deletion of the underlying record (the log row is retained even after the data it referenced is purged), which matters for breach investigation and HIPAA accounting-of-disclosures requests.
05AI and your PHI
We do not train or fine-tune our AI models on patient PHI. Audio, transcripts, and generated notes from your practice are processed to deliver the service to you and discarded or retained per the BAA. PHI is excluded from training and evaluation datasets, including the eval fixtures we use internally to test the perio grammar and note generator.
When Mesio's AI calls third-party language model providers (e.g., for transcription or note generation), those calls happen through providers that have signed BAAs with Mesio. Provider-side training on customer data is contractually disabled. If a provider's BAA or no-training posture changes, we'll notify you in advance per the BAA's subcontractor terms.
06Subprocessors
Mesio uses a small set of cloud infrastructure and AI subprocessors to deliver the Service. Each has a signed BAA with Mesio (where they touch PHI) and contractually agreed-to safeguards. The current subprocessor list is available on request — email security@mesio.ai. We notify Customer Practices in advance of material subprocessor changes per the BAA.
07Recording consent and capture
You — the practice — are responsible for obtaining the consent of patients to record their visits in compliance with your state's recording laws. Mesio surfaces a recording indicator while audio capture is live so neither the clinician nor the patient is in doubt that capture is on. Recording can be stopped at any time mid-visit, and any patient-side recording request lives in the BAA's standard accounting flow.
08Reporting a vulnerability
If you've found a security issue in Mesio — anywhere in the Mesio App, the browser extension, the Mesio Bridge desktop agent, or our public-facing infrastructure — email security@mesio.ai. Please include reproduction steps, the affected URL or component, and (where applicable) any proof-of-concept. We respond to security reports within two business days and work in good faith with reporters; we will not pursue legal action for good-faith research that doesn't access real patient data, doesn't disrupt service, and follows responsible-disclosure norms.
09What's in flight
Mesio is pre-launch. Some HIPAA-program items are still being formalized — independent third-party security audit (SOC 2 / HITRUST), a public status page, and a customer-facing trust portal. We're being transparent about that rather than printing badges we haven't earned. If you're evaluating Mesio for a practice with strict procurement requirements, ask us for our current compliance status — we'll tell you exactly where we are.
10Questions
Security questions: security@mesio.ai
BAA, contracts, legal: legal@mesio.ai
Privacy / data access requests: privacy@mesio.ai