HIPAA-grade by default
Every vendor we use to process PHI has a signed Business Associate Agreement with us. We sign one with your practice. Standard healthcare chain-of-custody.
Trust + Security
What we do with your patients' data.
Cura handles Protected Health Information for every practice we serve. That means HIPAA, BAAs, encryption, audit logs, and a chain of custody that holds up. Here's how it works, on one page.
Encrypted everywhere
Calls, transcripts, and patient data are encrypted in transit (TLS 1.3) and at rest (AES-256). No exceptions.
Audit logs on every interaction
Every call answered, every message sent, every PMS sync is logged with a timestamp and a reason. We give you read access on request.
Your data is yours
On termination, we export every call recording, transcript, lead, and review record to you within 14 days. You own the data we collect on your behalf.
Subprocessors
Every vendor we use to deliver Cura.
HIPAA requires Business Associates (us) to disclose our own subprocessors to Covered Entities (you). Here they are. We update this list when we change vendors.
Vendor Purpose BAA
Vapi Voice infrastructure orchestration (AI receptionist platform) Signed
Twilio Carrier voice + SMS infrastructure Signed via Twilio for Healthcare
OpenAI Large language model for conversation logic Signed via OpenAI Business Associate Agreement
ElevenLabs Voice synthesis (text-to-speech) Under contract review
Deepgram Speech-to-text transcription Signed
Vercel Web hosting + serverless compute Signed via Vercel Enterprise
Postmark Transactional email delivery Signed
Questions, breach reporting, or a security review request
For HIPAA compliance questions, security review requests, or to report a suspected breach, email hello@curadental.co with "Security" in the subject line. We respond within one business day. For a verified breach affecting your practice, we follow HIPAA breach notification timelines (within 60 days) and notify you immediately upon confirmation.
Last updated: May 2026. Subprocessor changes are announced at this URL 30 days before they take effect, per standard BAA notice provisions.