Shifaa AI
Security & privacy

Security that's stated, not just promised.

You handle the most sensitive data there is. Shifaa AI's architecture is privacy-first — encryption at rest, an append-only audit log, strict clinic isolation — and every claim on this page is specific enough to be checked.

Get the app Book a demo
  • Built around HIPAA security principles
  • Sub-processors disclosed
  • AI kill-switch included
The architecture

Four layers between your patients and risk.

Encrypted on device

Sensitive on-device data — chat history, notes and the offline queue — is encrypted at rest with AES-256.

Immutable audit log

An append-only record of every action, including PHI access and export — designed around HIPAA §164.312(b) principles.

Clinic-scoped by default

Every endpoint enforces clinic isolation. One workspace can never see another's patients, staff or data.

Hardened accounts

bcrypt hashing, refresh tokens stored only as SHA-256 hashes with rotation, login rate-limiting and OTP verification.

AES-256SHA-256§164.312(b)bcryptOTP + rate-limiting
Built around HIPAA security principlesAES-256 at rest (device)Append-only audit logClinic-scope enforcementAI kill-switch & spend caps
Our stance

Trust is built on what you can verify.

Honest claims only

We say “built around HIPAA security principles” because that's what the architecture is — we don't claim certifications we don't hold. What we build, we state; what we don't, we won't.

Sub-processors, disclosed

AI features are powered by Anthropic (Claude) and OpenAI (Whisper), which process relevant data to deliver those features. That's stated here, in the app and in the footer of every page — never hidden.

AI under your governance

A global AI kill-switch disables AI features instantly, and daily spend guardrails cap usage. The queue, records, vitals and prescriptions all work with AI off.

Questions

Data protection, answered plainly.

How is patient data protected?

The architecture is privacy-first and designed around HIPAA's security principles (§164.312(b)). Sensitive on-device data is encrypted at rest with AES-256, every action is written to an append-only audit log including PHI access and export, and each clinic is strictly isolated. AI features use Anthropic and OpenAI as disclosed sub-processors.

Is Shifaa AI HIPAA certified?

We don't claim certification — there is no official “HIPAA certification”, and we won't borrow the label. What we state is verifiable architecture: encryption at rest, an append-only audit log designed around §164.312(b), clinic-scope enforcement and hardened account security.

Who can see a clinic's data?

Only that clinic's team, by role. Every endpoint enforces clinic isolation — one workspace can never see another's patients, staff, settings or analytics. Within a clinic, Owner, Doctor, Receptionist and Nurse roles have a granular permission matrix.

What happens to audio and AI data?

Voice and clinical context are processed by our disclosed sub-processors (OpenAI Whisper for transcription, Anthropic Claude for drafting) to deliver the feature you invoked. Every AI action is recorded in the audit log, and daily spend guardrails plus the kill-switch keep AI use bounded.

Keep exploring

More of the clinic day, handled.

AI medical scribe

How voice becomes a SOAP note — with Whisper and Claude as disclosed sub-processors.

Learn more

All features

The whole clinic day in one app — queue, notes, prescriptions, records, analytics.

Learn more

FAQ

Does the AI diagnose? Is there a web app? Honest answers to common questions.

Learn more
For doctors & clinics

Run your clinic day with Shifaa AI.

Get the app and start free, or book a 15-minute demo to see the queue, voice-to-SOAP and AI decision support on a real visit.

  • Free plan never expires
  • iOS & Android
  • Doctor stays in control