Fiftyfoursix Medical AIBack to home

Legal

Security

Last updated: May 13, 2026

Security is a first-class requirement at Fiftyfoursix Medical AI. We protect every patient call and clinic workflow with end-to-end encryption, hardened infrastructure, and a strict data-minimization policy: PHI is processed only for as long as necessary to route a message or complete the clinical task it was provided for.

Encryption

  • In transit: TLS 1.2+ across every public endpoint, internal API, and telephony bridge.
  • At rest: AES-256 across databases, object storage, and encrypted backups.
  • Key management: keys are managed in an HSM-backed KMS with automated rotation and strict separation of duties.

Data Minimization & Retention

We collect only the information required to route a call or schedule an appointment. PHI is purged from active systems as soon as the workflow is complete and rotated out of encrypted backups on a defined schedule. We do not stockpile PHI for analytics, and we do not use PHI to train third-party AI models.

Identity & Access

  • SSO and multi-factor authentication required for all workforce access.
  • Role-based, least-privilege access; no standing production access without approval.
  • Just-in-time access elevation with full audit trail.
  • Quarterly access reviews and immediate revocation on workforce changes.

Infrastructure

  • Hosted in U.S.-based, SOC 2 Type II–audited cloud regions with 24/7 physical security.
  • Network isolation via private subnets, security groups, and a deny-by-default egress posture.
  • Hardened, automatically patched container images with no shared workloads across tenants’ PHI.

Application Security

  • Secure SDLC with mandatory peer review, automated SAST/DAST, and dependency scanning on every change.
  • Annual third-party penetration tests; remediation tracked to closure.
  • Coordinated vulnerability disclosure program — see contact below.

Monitoring & Incident Response

  • Centralized, immutable logging with 24/7 alerting on anomalous access to PHI.
  • Documented incident-response plan with defined severity levels and escalation paths.
  • Tabletop exercises performed at least annually.
  • Breach notification to affected clinics without unreasonable delay, in line with HIPAA § 164.410.

Business Continuity

  • Multi-AZ deployments with automated failover for the call-routing path.
  • Encrypted backups tested through periodic restore drills.
  • Documented RTO and RPO targets reviewed annually.

Compliance

Our controls align with HIPAA Security Rule requirements and SOC 2 Trust Services Criteria. See our HIPAA page for details on safeguards specific to protected health information.

Report a Vulnerability

Responsible disclosure is welcomed at info@fiftyfoursix.com. Please do not access or modify PHI when researching potential issues.

Questions about this policy? Email info@fiftyfoursix.com.