The posture, in one paragraph
SpiderLabs answers phone lines for appointment-driven businesses. For healthcare practices that means handling protected health information, and we treat that as the core design constraint, not an afterthought. We operate as your business associate under a signed BAA, store the minimum needed to run your front desk, log every access to patient content, and hold live patient traffic for a new practice until its compliant data environment is verified. The platform runs a live dental practice's front desk today.
We do not claim certifications we do not hold. If a specific attestation matters to your diligence, email security@spiderlabs.ai and we will tell you exactly where we stand.
How patient data flows
Your existing practice number forwards to us. Nothing changes for the caller.
The call is handled on a covered voice-processing subprocessor: conversation, transcription, and intent.
Calls, callbacks, and booking requests appear for your staff. Every transcript view and recording playback is logged.
Where enabled, appointments write into your schedule. Otherwise they queue for staff confirmation.
What we store, and what we never store
We store
- Operational records: caller identifiers, timestamps, event types, appointment and callback status, and safe metadata
- An audit log entry for every access to patient content
- Your practice configuration: services, hours, and team roles
We do not store, by default
- Bulk copies of raw call transcripts or recordings. Raw storage is off by default; content is retrieved on demand through an audited SpiderLabs route when a teammate opens a call
- Patient data in shared model training, ever
- Vendor branding or third-party URLs on the surfaces your staff use
The BAA
We sign with you. SpiderLabs signs a Business Associate Agreement with your practice as part of onboarding, and an executed BAA is a launch requirement: no patient data flows until it is signed. You can read the agreement on the HIPAA & BAA page and forward it to your counsel before sign day.
We require coverage upstream. We require business associate coverage from every subprocessor that handles patient data on our behalf before it carries your patients' traffic. The named list, with the current status of each agreement, is available under NDA or as an exhibit to your BAA. If a specific vendor agreement matters to your review, ask and we will tell you exactly where it stands.
Our database platform's BAA is executed, and activation of the HIPAA-controlled environment for your account is a launch gate: it happens during your onboarding, before your patients' data flows.
Subprocessors, by category
| Category | What it does | Patient data |
|---|---|---|
| Voice processing | Live call handling, transcription, and chat for your AI receptionist | Yes, during conversations |
| Cloud infrastructure | Hosting and serverless compute for call workflows and the dashboard | Yes, in processing |
| Database & authentication | Operational records, audit logs, and staff logins | Yes, operational records |
| Communications | Email and SMS alerts to your staff. This channel is pending activation; the dashboard is the operating notification surface today | Limited, staff notifications |
| Payment processing | Practice subscription billing | No patient data |
We keep vendor names off patient-facing and staff-facing surfaces by design. The full named subprocessor list is disclosed under NDA or as a BAA exhibit.
Uptime and incidents
We publish component status, active incidents, and 30-day uptime on our public status page. Our stated targets:
- 99.9% availability target for the voice line and dashboard
- Support response targets: urgent issues within 2 business hours, standard requests within 1 business day
- Incident notification without unreasonable delay; for anything involving PHI, the breach-notification terms of your BAA govern
Request documents
Practices in diligence can request our BAA copy, subprocessor exhibit, and security overview. We respond within 1 business day.
Common questions
Is SpiderLabs HIPAA compliant?
HIPAA has no official product certification, so be wary of any vendor that claims to be "HIPAA certified." What we do: operate as your business associate under a signed BAA, keep stored data to the minimum necessary, log every access to patient content, and hold live patient traffic until the compliant environment for your account is verified.
Where is patient data stored?
In US-based cloud infrastructure, encrypted in transit (TLS 1.3) and at rest (AES-256). Activation of the HIPAA-controlled database environment for your account is a launch gate in your onboarding, before your patients' data flows.
Can my staff see call recordings and transcripts?
Yes, based on their role in your dashboard. Content is retrieved on demand when a teammate opens a call, and every transcript view and recording playback is logged with who accessed it and when.
Do you train AI models on our patients' data?
No. We never use your patients' data to train shared models.
Do you have SOC 2?
Not yet, and we will not imply otherwise. If a specific attestation matters to your review, email security@spiderlabs.ai and we will tell you exactly where we stand.
Deeper reading: Security & compliance docs · Business Associate Agreement · Status