Kevin! is built from the ground up for healthcare. We implement the security and compliance safeguards your patients and practice deserve — because trust isn't optional when lives are involved.
TLS 1.2+ in transit, AES-256 at rest. Your data is encrypted at every stage.
Full administrative, physical, and technical safeguards per HIPAA Security Rule.
Hosted on Google Cloud Platform — SOC 2 Type II certified data centers.
Real-time intrusion detection, vulnerability scanning, and audit logging.
Google Cloud Platform — All data is hosted on GCP infrastructure with SOC 2 Type II certification, ISO 27001 compliance, and a signed HIPAA Business Associate Agreement. View Google Cloud compliance →
When healthcare providers use Kevin! to process Protected Health Information (PHI), Rushin InTegrations acts as a Business Associate under HIPAA. We implement the full spectrum of safeguards required by the HIPAA Security Rule and maintain strict compliance with the Privacy Rule and Breach Notification Rule.
We provide Business Associate Agreements for all healthcare customers before any PHI is transmitted.
Role-based access, MFA, and minimum necessary standard — we access only the PHI needed to deliver services.
All team members receive mandatory HIPAA privacy and security training with annual refreshers.
Formal incident response plan with notification to covered entities within 60 days of discovery.
🚫 We do NOT use your data to train AI models. Period.
Your clinical inputs and PHI are used solely to provide Kevin!'s services to you. Any model improvements use fully de-identified or synthetic data.
All AI inference runs through Google Vertex AI, covered by our Google Cloud BAA. No PHI is sent to any third-party AI provider without a signed Business Associate Agreement.
Audio is processed in real-time and deleted immediately after transcription. Raw audio is never retained unless you explicitly opt in. Speech-to-text is powered by AssemblyAI under a signed BAA.
All subprocessors are contractually bound to process data only as instructed, never use your data for their own purposes, maintain equivalent security standards, and enter into BAAs where required.
We maintain a formal Incident Response Plan that defines how we detect, contain, investigate, and resolve security incidents. In the event of a breach of unsecured PHI:
Continuous monitoring and automated alerting to identify incidents in real-time.
Affected systems are isolated within hours. Evidence is preserved for investigation.
Covered entities notified within 60 days of discovery, with full incident details.
Every incident is documented, reviewed, and used to strengthen our security posture. Post-incident reviews are conducted within 14 days of closure.
How we collect, use, and protect your information — including PHI handling, data retention, and your rights.
Your agreement with us — including permitted uses, medical disclaimers, liability, and HIPAA obligations.
Need a Business Associate Agreement? Contact our legal team and we'll get you set up.
SOC 2 Type II, ISO 27001, and HIPAA compliance — our cloud infrastructure provider.
SOC 2 Type II, PCI DSS, and HIPAA compliant — our speech-to-text provider.
We're happy to discuss our security practices, provide compliance documentation, or walk through our architecture with your IT team.