Security
Security and PHI readiness
Last updated: June 19, 2026
Current PHI status: Bella does not accept PHI until your organization has a signed Business Associate Agreement and PHI onboarding approval. Do not send medical details, member IDs, claim data, or client documents through public forms or email.
What is public
davepartner.ai is a public marketing site. It is for product information, waitlist requests, and contact. It is not a PHI intake surface.
What requires approval
app.davepartner.ai is the future authenticated product boundary for regulated workflows. PHI access is allowed only after the account has the right contract, vendor coverage, access controls, and audit evidence in place.
Required PHI controls
- Signed customer BAA before any PHI use.
- Verified vendor BAAs for every subprocessor that can access PHI.
- MFA for administrators and staff who can access PHI.
- Role-based access control and tenant isolation.
- Audit logs for PHI view, create, update, delete, export, and admin actions.
- Encryption in transit and at rest for databases, files, and backups.
- PHI-safe logging so PHI is not stored in URLs, request logs, error traces, analytics, or AI prompts outside the approved boundary.
- Backup restore testing, incident response, breach notification, and access review procedures.
Reporting a security issue
Email [email protected] with a clear description, affected URL, and safe reproduction steps. Do not include PHI in the report.
BAA requests
If your organization needs to use Bella with PHI, start with the BAA readiness page. We will not approve PHI workflows until the legal and technical gates are complete.
