Security & compliance
SpiderLabs handles protected health information, so patient-data protection is part of how we run — and how we launch. This page is written for the buyer and the compliance reviewer: the BAA process, how access to patient data is controlled and audited, our data-handling posture, and the gate before any live patient data flows.
At a glance
- We sign a BAA as part of onboarding, and an executed BAA is required before you go live.
- Access to patient content is audited — every transcript view and recording playback is logged.
- Minimum-necessary by posture: we store the least needed to run your front desk and never train shared models on your data.
- A hard live-PHI gate: live patient data flows only after the BAA and a verified compliant environment are in place.
We describe only what we operate
Provider-neutral by design
Your team works in one clean, provider-neutral dashboard — SpiderLabs and your own business, with no third-party vendor branding — and access to patient data is audited. We call this Mirror Mode. It is a trust benefit you get by default, not something you configure.
The BAA process
SpiderLabs signs a Business Associate Agreement as part of onboarding. The BAA is the contract that governs how we handle patient data on your behalf under HIPAA — including our obligations around safeguards, permitted use, and breach notification. An executed BAA is a launch requirement: no patient data flows until it is signed and on file. You can review the agreement itself on the HIPAA & BAA page.
The live-PHI activation gate
For a new customer, live patient-PHI traffic is not switched on until two things are true:
- the BAA is executed and on file, and
- the compliant data environment for your account is active and verified during onboarding.
Until both are in place, a business can still launch in callback-first mode with the minimum-necessary posture below. See Getting started for how this fits into a launch.
No shortcuts on the gate
Audited access to transcripts & recordings
Reading a call transcript or playing a recording is a logged event. Each access is recorded with who viewed it and when, so there is an accountable trail over patient content. Content is retrieved when a teammate opens a call rather than bulk-copied into the dashboard, which keeps exposure to the minimum necessary and every view traceable.
Data-handling posture
We keep to the minimum necessary to run your front desk and give you an audit trail. In practice that means:
- We store operational data — identifiers, timestamps, event types, appointment and callback status, and safe metadata — not bulk copies of raw transcripts or recordings.
- Access is role-based, so each teammate sees only what their role allows.
- Each business’s data is isolated to its own account; one account cannot read another’s calls, patients, or appointments.
- We do not use your patients’ data to train shared models.
Who owns the data
Your patient data is yours. We process it to operate your AI front desk under the BAA, keep it isolated to your account, and return or dispose of it per the BAA when our relationship ends. Data-handling questions and data-subject requests go to privacy@spiderlabs.ai.
Reporting a security concern
Keep exploring