Compliance isn't a checkbox. It's the product.
HASP is built on real governance infrastructure — not a BAA stapled to a chat wrapper. Every prompt is scanned for PHI before leaving your tenant. Every action is hash-chained and Ed25519-signed. Every claim on this page has a verifiable artifact behind it.
Every chat turn, uploaded text, and API call traverses the same pipeline. No surface can bypass it — not the UI, not the API, not the embedded Studio. PHI never reaches the model unprotected. Every step fires an audit event.
Each layer operates independently and is independently auditable. A failure at one layer doesn't silently collapse the others.
Before any AI call is processed, the gateway checks that your organization has a countersigned, in-date Business Associate Agreement. No BAA — no AI traffic, full stop. The check runs at the gateway, not in application code, so it cannot be bypassed by any surface (UI, API, or embedded Studio).
View the BAA →Every chat turn, uploaded text, and tool definition passes through HASP's own PHI detection pipeline — with healthcare-specific custom recognizers — before any prompt leaves HASP. Your policy decides what happens next: send PHI to the model under your BAA, redact it before inference (and restore it in the response), or block the request entirely. Detection events are logged with the categories that fired, the action taken, and the user who initiated the request.
Trace the data flow →Every product-level event — chat turn, document upload, RAG retrieval, BAA accepted, API call, admin action — is an immutable entry in a hash-chained log. Each entry is signed with an Ed25519 key bound to your tenant; the public key is published. Periodic checkpoints are anchored to an RFC 3161 Time Stamping Authority so timestamps are attested by an independent third party. The chain can be verified on your auditor's machine without any HASP software.
See the verification recipe → Walk through a compliance export →Each Enterprise-tier organization gets a dedicated data plane — its own database, its own vector index, its own file storage, on dedicated infrastructure. There's no logical multi-tenancy at the data layer for Enterprise customers. Your data doesn't share compute with any other customer. Provisioning completes within minutes of BAA countersign.
Data isolation details →HIPAA, GDPR / CCPA, and PIPEDA are platform-level commitments from V1 launch. SOC 2 and HITRUST posture is inherited from our compliance substrate and available under NDA while we pursue direct certification.
Business Associate Agreements available before signature. Control matrix, BAA, and data-flow inventory available to active prospects. The gateway enforces BAA status; the audit chain records every PHI-adjacent event. Breach notification within 60 days of discovery per 45 CFR §164.412 — faster in practice.
Platform-level implementation from day one. Article 17 erasure (30-day offboarding window, full cascade), Article 20 portability (machine-readable export), Article 30 records of processing, ADM role boundaries. CCPA deletion and export served by the same mechanisms.
Canada's federal private-sector privacy law. All ten PIPEDA fair-information principles are satisfied by the same controls that underpin GDPR — consent, access, erasure, portability, and sub-processor accountability. Cross-border transfer accountability under Schedule 1 §4.1.3 is discharged through contractual clauses in the DPA. The control set is also built to satisfy Canada's forthcoming CPPA (Bill C-27) when it comes into force.
Our compliance substrate carries a SOC 2 Type II report that covers the infrastructure and operational controls HASP runs on. The substrate report is available under mutual NDA on request. HASP's own SOC 2 engagement is planned for $100K ARR or the first qualified enterprise deal, whichever comes first.
HITRUST posture is inherited from our compliance substrate. Attestation letter available under NDA on request. Direct HITRUST certification follows after SOC 2 completion.
What follows answers the most common SIG / CAIQ / HECVAT questionnaire categories. Detailed questionnaire responses are available on request.
Categories of downstream processors. The complete vendor-named register lives in the sub-processor register and the DPA. Changes carry a 30-day advance-notice obligation under the DPA. You can object to a new sub-processor before any change takes effect. Last updated: May 2026.
| Capability | Role | Purpose | Data in scope | Location |
|---|---|---|---|---|
| HIPAA-eligible compliance substrate | Infra | Managed database, application hosting (compute + network); HIPAA + SOC 2 substrate inheritance | Application data, per-org databases, audit infrastructure | United States (dedicated infrastructure) |
| Inference providers | AI | Inference for chat, document analysis, AI Studio, public API, and agent workflows — direct integrations under HASP-direct BAAs. See the sub-processor list for named providers and the model catalog for supported models. | De-identified prompt + completion content (PHI redacted by HASP before send) | United States |
| Embedding provider | AI | Document embeddings for RAG | Document text after PHI redaction | United States |
| Web search provider (primary) | AI | Web search retrieval for the AI's web.search tool | Search queries only. HASP ensures no PHI is ever transmitted to this provider. | United States |
| Web search provider (fallback) | AI | Web search retrieval — optional fallback | Same scope as primary. HASP ensures no PHI is ever transmitted to this provider. | United States |
| Edge CDN / object storage | Infra | CDN, object storage, DNS, SSL, custom domain routing (usehasp.run) | Request metadata only — IP, TLS handshake, User-Agent. No PHI at edge. | Global (US-headquartered) |
| Payment processor | Business | Subscription billing, four-meter usage reporting, payment processing, tax calculation | Customer billing metadata; no PHI | United States |
| Transactional email provider | Business | Transactional email delivery | Email addresses, transactional message content; no PHI | United States |
| Enterprise SSO (SAML) | Business | SAML 2.0 SSO, SCIM provisioning (Business + Enterprise tiers) | Identity attributes, group memberships. No PHI. | United States |
| OAuth identity providers | Business | OAuth authentication (when Customer enables provider sign-in) | Authentication identity attributes; no PHI | United States |
| Error tracking | Analytics | Application error monitoring and performance telemetry | Application telemetry; PHI scrubbed at source | United States |
| Product analytics | Analytics | Product analytics (only when end user consents via cookie banner) | Marketing-site and consented in-app behavior. No PHI. | United States |
Most HIPAA-compliant AI vendors are a BAA and a chat UI. We built governance infrastructure that holds up the first time you get audited — and we can prove it. Here's what distinguishes real compliance from a checkbox.
The audit log can be verified on your auditor's own machine with no HASP software in the loop. Download the export, run the script, confirm both the hash chain and each Ed25519 signature. The verification recipe is public. Competing vendors have audit logs; they don't have independently verifiable ones.
Verification recipe →PHI scanning fires an audit event with the entity categories that triggered, the action taken (de-identify / allow / block), and the user who initiated it. You can answer "was any PHI in that conversation?" in 30 seconds from an audit export. No other HIPAA AI vendor provides this at the application-log level.
Data-flow inventory →HASP is the only HIPAA-compliant AI platform that also includes a full internal-app builder. The tools your team publishes — intake forms, care-coordination dashboards, referral workflows — run under the same BAA, on the same audit trail, on the same bill. Every other HIPAA AI wrapper on the market has no tool-building capability; the general-purpose internal-tool builders aren't HIPAA-compliant.
Your data never shares a database with another customer. Every Enterprise-tier org gets a dedicated data plane on dedicated infrastructure. Logical multi-tenancy with row-level security is not dedicated-plane data isolation — cluster-level isolation is. We do the latter.
The data-flow inventory traces every hop from browser to storage, with per-hop controls, retention curves, and BAA scope. It's written to map directly to SIG, CAIQ, and HECVAT question categories — so your procurement team isn't building this from scratch.
Read the data-flow inventory →Most compliance AI vendors gate their strongest audit features — tamper-evidence, signed exports, extended retention — behind enterprise tiers. HASP does not. The signed audit chain, Ed25519 verification, and RFC 3161 timestamp anchoring apply to every paid plan, including Solo. A solo practitioner gets the same audit guarantees as a tier-1 health system. Higher tiers add analytics depth and retention windows — not the integrity of the chain itself.
HASP holds direct BAAs with every inference provider in the path — and exposes them through one HASP BAA you sign. As we add inference providers, your BAA doesn't change; we handle the chain downstream and notify you 30 days before any sub-processor change takes effect. No third-party AI gateway in the path.
Security questionnaires (SIG, CAIQ, HECVAT, or customer-specific forms) are completed promptly. The SOC 2 substrate report, penetration-test summary, BAA, DPA, attestation letters, and vendor-specific security overview PDFs are available under a mutual NDA.