AITACS CRM is built from the ground up with privacy and compliance at its core. Here's exactly how we protect sensitive clinical information.
Your clients' real names, contacts, and dates of birth are never sent to AI. Period.
Two independent filters remove identifying data โ in your browser and on our server.
Every AI request is timestamped and marked as de-identified for compliance verification.
When you use the AI assistant, your client's data passes through an automatic de-identification process before anything reaches the AI provider. This is not optional โ it is enforced by the system architecture.
Full data including name, contacts, DOB, clinical notes
Removes all 18 HIPAA identifiers. Converts DOB โ age.
Second independent check. Scrubs residual patterns.
Receives only pseudonym + age + clean clinical context
This architecture follows the HIPAA Safe Harbor standard (45 CFR ยง164.514(b)), which defines exactly which 18 types of identifiers must be removed for data to be considered de-identified. Once de-identified, the data is no longer classified as Protected Health Information (PHI) under HIPAA.
All communications between your browser, our server, and the AI provider are encrypted using TLS 1.2 or higher. No data travels in plaintext.
A client-side JavaScript filter runs in your browser before data leaves your device. An independent server-side PHP filter provides a second check before forwarding to the AI. Even if one layer fails, the other catches it.
Firebase Authentication with unique User IDs. Your data is isolated โ no other user can access it. Two-factor authentication (2FA) is supported and recommended.
Every de-identified data object sent to AI is marked with a timestamp and compliance method identifier. This creates a verifiable record for regulatory audits.
Regular encrypted database backups. Data export available in JSON format at any time. Full deletion upon account termination within 30 days.
Documented procedures for detecting, containing, and reporting security incidents. GDPR-compliant 72-hour notification and HIPAA-compliant 60-day notification. See Incident Response Policy.
Data transmitted to AI is de-identified per the Safe Harbor standard (45 CFR ยง164.514(b)). Platform architecture follows HIPAA Privacy Rule and Security Rule requirements. Business Associate Agreement available for Covered Entities. Read BAA โ
Full compliance with GDPR Articles 5โ49. Data Processing Agreement (Art. 28) available. Data subject rights (Art. 15โ22) supported. International transfers protected by Standard Contractual Clauses. Read DPA โ
Compliant with Israel's Protection of Privacy Act (1981) and the Privacy Protection Regulations (Data Security). Provider is registered in the State of Israel.
AITACS CRM uses OpenAI's API for AI-assisted analysis. Key facts about how OpenAI handles your de-identified data:
No model training: API data is not used to train or improve OpenAI's models. Retention: API inputs and outputs may be retained for up to 30 days for safety monitoring, then deleted. Remember: OpenAI receives only de-identified data โ pseudonym, age, and scrubbed clinical context. No PHI.
Security is a partnership between AITACS CRM and you as the practitioner. We handle server security, de-identification, encryption, and incident response. You are responsible for device security, using pseudonyms, obtaining client consent, and following the User Security Requirements.
Terms of Service ยท Privacy Policy ยท Data Processing Agreement ยท Business Associate Agreement ยท Subprocessor List ยท Security Requirements ยท Informed Consent ยท Incident Response ยท Copyright Policy