top of page
Homepage

Waitly.ai

Login
Book a Demo

Security & Infrastructure

Executive Summary

At Waitly.ai, patient data security is the foundation of our platform. We employ enterprise-grade encryption, defense-in-depth infrastructure design, and strict compliance with healthcare regulations to protect your patients' information.

Compliance & Data Privacy

HIPAA Compliance
Waitly is fully HIPAA-compliant. We execute Business Associate Agreements (BAAs) with all covered entities prior to any data exchange.

 

Data Ownership
Your organization retains full ownership of all patient data. Waitly does not sell, rent, or share patient PII/PHI with third parties under any circumstances.

​

AI Safety

  • Patient data used for AI-powered features is processed in isolated, secure environments

  • We do not use identifiable patient data to train public or generative AI models

  • AI processing occurs only within the context of your practice's authorized workflows

Cloud Infrastructure

Cloud Platform
Waitly is hosted on Google Cloud Platform, utilizing infrastructure that maintains the following certifications:

  • ISO 27001 (Information Security Management)

  • SOC 1, SOC 2, and SOC 3

  • HIPAA Compliance (with BAA)

​

Network Security

  • All application services operate within an isolated private network

  • Database connections are restricted to internal traffic only—no public internet exposure

  • All public endpoints use managed SSL certificates with automatic renewal

Encryption

Encryption in Transit
All data transmission is encrypted using TLS 1.2+:

  • API communications between your EHR and Waitly

  • Dashboard access for your staff

  • Patient-facing communications

​

Encryption at Rest

  • All databases are encrypted using AES-256

  • Sensitive credentials (EHR API keys, integration secrets) are encrypted at the application level before storage

  • All backup data is encrypted

EHR Integration Security

Least Privilege Access
Our EHR integrations operate on a principle of least privilege. We request only the specific API scopes necessary for:

  • Reading patient demographics and contact information

  • Reading and writing appointment schedules

  • Accessing provider availability

​

Write-Back Controls
All modifications to your EHR are strictly logged and attributable to the Waitly application, ensuring a clear audit trail.

Access Control & Monitoring

Role-Based Access Control (RBAC)
Granular permission settings ensure that only authorized personnel within your organization can access the Waitly dashboard.

​

Audit Logging
We maintain detailed logs of all system access and data processing activities for security audits.

 

Vendor Access
Waitly engineering staff have zero standing access to customer production data. Access is granted only on an as-needed basis for support, requiring temporary elevated privileges and logging.

 

Multi-Tenant Data Isolation
Complete logical separation ensures no cross-organization data access is possible.

Data Backup & Disaster Recovery

Automated Backups
We maintain automated backups with point-in-time recovery capabilities to ensure business continuity.

 

Recovery Capabilities

  • Recovery Point Objective (RPO): Minutes

  • Recovery Time Objective (RTO): Hours

  • Automatic failover for application services

Incident Response

Disaster Recovery
Waitly maintains a documented incident response plan with continuous monitoring, defined escalation procedures, and immediate containment protocols.

 

Breach Notification
In the unlikely event of a security incident, Waitly will notify affected partners within 24 hours, in full accordance with HIPAA Breach Notification Rules.

Vendor Security

All third-party services we integrate with maintain HIPAA-compliant status with executed BAAs where applicable, and SOC 2 Type II certification or equivalent.

Application Security

  • Input validation on all API endpoints

  • Protection against common vulnerabilities (SQL injection, XSS, CSRF)

  • Industry-standard HTTP security headers

  • All API endpoints require authentication

  • Rate limiting to prevent abuse

​​​

We are committed to transparency and welcome questions about our security practices. Upon request, we can provide additional documentation including our HIPAA compliance attestation and Business Associate Agreement.

bottom of page