Kevin! is built from the ground up for healthcare. We implement the security and compliance safeguards your patients and practice deserve — because trust isn't optional when lives are involved.
TLS 1.2+ in transit, AES-256 at rest. Your data is encrypted at every stage.
Full administrative, physical, and technical safeguards per HIPAA Security Rule.
Hosted on Google Cloud Platform — SOC 2 Type II certified data centers.
Real-time intrusion detection, vulnerability scanning, and audit logging.
Google Cloud Platform — All data is hosted on GCP infrastructure with SOC 2 Type II certification, ISO 27001 compliance, and a signed HIPAA Business Associate Agreement. View Google Cloud compliance →
When healthcare providers use Kevin! to process Protected Health Information (PHI), Rushin InTegrations acts as a Business Associate under HIPAA. We implement the full spectrum of safeguards required by the HIPAA Security Rule and maintain strict compliance with the Privacy Rule and Breach Notification Rule.
We provide Business Associate Agreements for all healthcare customers before any PHI is transmitted.
Role-based access, MFA, and minimum necessary standard — we access only the PHI needed to deliver services.
All team members receive mandatory HIPAA privacy and security training with annual refreshers.
Formal incident response plan with notification to covered entities within 60 days of discovery.
🚫 We do NOT use your data to train AI models, and our signed BAAs with Google and OpenAI prohibit them from doing so.
Your clinical inputs and PHI are confidential and used solely to provide Kevin!'s services to you. They are not sold, not retained by model providers for their own purposes, and not used for general model training.
| Provider | Used For | BAA | Training / Sale | Retention |
|---|---|---|---|---|
| Gemini inference | Signed | No training or sale under our BAA | No retention for provider purposes | |
| OpenAI | GPT inference | Signed | No training or sale under our BAA | No retention for provider purposes |
| Rushin InTegrations | Service delivery, audit, support, and HIPAA operations | Customer BAA available | No sale or general-purpose model training | Only as needed for Services and HIPAA/BAA duties; AES-256 at rest |
AI inference uses Google Gemini 3.1 Pro, Gemini 3.5 Flash, and OpenAI GPT-5.5 under signed BAAs with Google and OpenAI. Those agreements require confidential handling and prohibit using PHI or clinical inputs to train models or sell data.
Audio is processed in real-time and deleted immediately after transcription. Raw audio is never retained unless you explicitly opt in. Speech-to-text is powered by AssemblyAI under a signed BAA.
All subprocessors are contractually bound to process data only as instructed, never use your data for their own purposes, maintain equivalent security standards, keep information confidential, and enter into BAAs where required.
We maintain a formal Incident Response Plan that defines how we detect, contain, investigate, and resolve security incidents. In the event of a breach of unsecured PHI:
Continuous monitoring and automated alerting to identify incidents in real-time.
Affected systems are isolated within hours. Evidence is preserved for investigation.
Covered entities notified within 60 days of discovery, with full incident details.
Every incident is documented, reviewed, and used to strengthen our security posture. Post-incident reviews are conducted within 14 days of closure.
How we collect, use, and protect your information — including PHI handling, data retention, and your rights.
Your agreement with us — including permitted uses, medical disclaimers, liability, and HIPAA obligations.
Need a Business Associate Agreement? Contact our legal team and we'll get you set up.
SOC 2 Type II, ISO 27001, and HIPAA compliance — our cloud infrastructure provider.
SOC 2 Type II, PCI DSS, and HIPAA compliant — our speech-to-text provider.
We're happy to discuss our security practices, provide compliance documentation, or walk through our architecture with your IT team.