Security & trust

You’re routing patient conversations through us. Here’s how we earn that.

Everything on this page is what we actually have today — no aspirational badges. Where something is in progress, it says in progress, with where to check back. Want any of it in writing before a pilot? One email.

Request the BAA & security packetWhy practices choose Revado
HIPAA posture

HIPAA-first, not HIPAA-adapted.

PHI handling

Revado operates as a business associate to your practice. PHI is processed only to deliver the service — conversations, scheduling, and write-back to your PMS — never for advertising, and never sold.

Encryption

Patient data is encrypted in transit and at rest. Access to production systems is restricted, logged, and reviewed.

Access control

Roles are scoped: your team members see what their role needs, and every PHI access is timestamped and exportable. The audit log is built into the product, not bolted on.

Retention & deletion

PHI retention and deletion terms are defined in the BAA. On termination, PHI is returned or deleted per the agreement — you don’t have to chase us for it.

Paperwork

The documents procurement will ask for.

BAA

Available on request before any pilot starts — not after. Email trust@revado.ai and we’ll send it the same day.

Subprocessors

The vendors that touch data — telephony, LLM, SMS, and transcription providers — are disclosed in the BAA addendum, with the data category each one handles. Full current list available on request.

SOC 2 Type II

In progress. We’ll publish the auditor and report date on this page as soon as the audit window closes. Until then, we’re happy to walk your security reviewer through our controls directly.

Security questionnaires

Send us yours — vendor security questionnaires and risk assessments are answered by the team that built the system, typically within a few business days.

Operations

When something needs attention.

Incident response

Security incidents are triaged immediately and affected practices are notified per the BAA’s breach-notification terms. The direct line is trust@revado.ai.

Vulnerability reporting

Found something? Email security@revado.ai. We read every report, respond to actionable ones, and credit researchers who ask.

AI guardrails

Voice and text agents operate inside scripts and escalation rules your practice approves. Clinical questions are never answered by the AI — they route to your team by rule.

Data boundaries

Your patient list is yours. We don’t use one practice’s data to serve another, and campaigns only reach patients from your own chart.

Common questions

What security reviewers ask us.

Will Revado sign a BAA before we share any patient data?

Yes — that’s the required order of operations, not a favor. Email trust@revado.ai and the BAA arrives the same day, before any pilot or data connection begins.

Is Revado SOC 2 certified?

SOC 2 Type II is in progress. We publish the status honestly rather than claiming a certificate we don’t hold yet, and we’ll post the auditor and report date here when the audit window closes. Your security team can review our controls directly in the meantime.

Which vendors see patient data?

Telephony, LLM, SMS, and transcription subprocessors — each disclosed in the BAA addendum with the data category it handles. Request the full current list at trust@revado.ai.

Can we audit what the AI said to our patients?

Yes. Every conversation — voice and text — is recorded as a thread with timestamps, and PHI access is logged and exportable. Nothing the agent does is invisible to the practice.

More questions on the product itself? See the full FAQ or our privacy policy.

Put our answers in front of your security reviewer.

BAA, subprocessor list, and questionnaire answers — sent same day. If your reviewer wants a call with the engineers who built the system, we’ll set it up.