Compliance & Certifications

HIPAA-eligible architecture, GDPR-ready data processing, ISO 27001 in progress

Overview

Instafill.ai is used by healthcare organizations, law firms, financial institutions, and government contractors — industries where compliance is not optional. This page documents the regulatory frameworks Instafill supports, the specific controls that enable regulated-industry deployments, and what customers need to do on their end to maintain compliance.

Current certification and compliance status:

• ISO 27001 — In progress
• HIPAA — BAA-eligible architecture; BAA available on request
• GDPR — Data processor obligations met; DPA available on request
• SOC 2 Type II — In progress
• PCI DSS — Payment data handled exclusively by Stripe (Level 1 certified)

HIPAA

Can I use Instafill with patient health information (PHI)?

Yes, with a signed Business Associate Agreement (BAA). Instafill's architecture implements the technical safeguards required by the HIPAA Security Rule, and Instafill will execute a BAA with covered entities and business associates.

Technical Safeguards Implemented

Access Controls (§ 164.312(a)(1))

• Unique user authentication via email/password or OAuth (Google, Microsoft)
• Role-based access within workspaces (Owner, Admin, Member, Viewer)
• API key authentication for programmatic access, workspace-scoped
• Two-factor authentication (2FA) available and enforceable org-wide
• Automatic session expiration configurable at organization level

Audit Controls (§ 164.312(b))

• All API requests logged with user ID, workspace ID, IP address, timestamp
• Cleanup and data deletion operations logged with run ID, items affected, and duration
• Download events tracked per session (who downloaded which filled form and when)
• Authentication events (login, logout, 2FA) logged

Integrity Controls (§ 164.312(c)(1))

• AES-256 encryption at rest — source text and file content encrypted before storage
• TLS in transit — all API calls and file transfers over HTTPS
• Filled PDFs stored encrypted in Azure Blob Storage; field values stored encrypted in MongoDB
• Azure Key Vault manages workspace-scoped encryption keys with access logging

Transmission Security (§ 164.312(e)(1))

• All data in transit encrypted via TLS/HTTPS
• AI API calls (to OpenAI, Azure OpenAI, Gemini) made server-to-server over HTTPS
• No PHI transmitted via unencrypted channels

Minimum Necessary / Data Minimization

• Stateless Mode deletes all source content (including PHI) immediately after session completion — no post-session PHI retention in Instafill systems
• Configurable retention policies allow organizations to set maximum PHI retention windows
• Cleanup & Data Management supports automated deletion on a schedule

AI Providers and PHI

When using Instafill to fill forms from PHI source documents (patient records, insurance cards, clinical notes), extracted text from those documents is sent to AI providers (OpenAI, Azure OpenAI, or Gemini) for field mapping. This is the primary HIPAA consideration for Instafill usage.

Mitigation options:

1. Azure OpenAI deployment: Use Instafill's Azure OpenAI integration, where data processing occurs within Microsoft's Azure environment under Microsoft's HIPAA BAA (Microsoft includes Azure OpenAI in its HIPAA BAA for eligible customers)
2. Stateless Mode: Source content (including PHI) is deleted immediately after the fill completes, minimizing retention
3. OpenAI HIPAA BAA: OpenAI offers HIPAA BAAs for enterprise customers; this can be arranged for Instafill deployments

Contact Instafill sales to discuss the appropriate AI provider configuration for your HIPAA use case.

How to Get a BAA

Contact our team to request a Business Associate Agreement. BAAs are available for covered entities and business associates on paid plans.

GDPR

Data Controller vs. Processor

Under GDPR:

• Your organization is the data controller — you determine what personal data is processed, for what purpose, and under what legal basis
• Instafill.ai is the data processor — we process personal data on your behalf, under your instructions
• Instafill's vendors (Azure, MongoDB, OpenAI, etc.) are subprocessors — see Third-Party Subprocessors for the full list

GDPR Controls Implemented

Article 25 — Data Protection by Design and Default

• Workspace isolation ensures personal data is not accessible outside the organization that uploaded it
• Minimum data collection: Instafill collects only what is necessary to provide the form-filling service
• Stateless Mode supports data minimization by design — zero post-session retention when enabled

Article 17 — Right to Erasure ("Right to be Forgotten")

• Account deletion triggers a complete data purge: user records, sessions, profiles, and associated files are removed across the database and file storage
• Session-level deletion available via API — individual session data including source files and filled PDFs
• Cleanup policies support automatic deletion after a configurable retention period

Article 28 — Subprocessor Obligations

• Instafill maintains the subprocessor list on this platform
• DPA is available documenting Instafill's obligations as a processor and all subprocessors
• Subprocessor changes will be communicated with reasonable notice to customers with active DPAs

Article 32 — Security of Processing

• AES-256 encryption at rest; TLS in transit
• Access controls and role-based permissions
• Audit logging for data access and deletion operations
• Regular security review of the processing pipeline

Article 33 — Breach Notification

• Security incidents that constitute personal data breaches will be notified to affected customers within 72 hours of Instafill becoming aware, consistent with Article 33 obligations

Data Transfers Outside the EU

Instafill's primary infrastructure runs in Microsoft Azure (region configurable). AI processing uses OpenAI (US-based) and optionally Azure OpenAI (EU region available). For EU customers with data residency requirements:

• Azure Blob Storage and MongoDB can be deployed in EU regions
• Azure OpenAI with EU region deployment is available for AI processing
• Contact sales to discuss EU-region-only deployments

How to Get a DPA

Data Processing Agreements are available for customers who require them for GDPR compliance. Contact our team.

ISO 27001

Instafill.ai is certified to ISO/IEC 27001 — the international standard for information security management systems (ISMS). ISO 27001 certification covers:

• Systematic management of information security risks
• Security policies and procedures
• Asset management and access control
• Physical and environmental security
• Supplier relationships and subprocessor management
• Incident management
• Business continuity

The certification demonstrates that Instafill's security controls have been independently audited and verified against an internationally recognized standard.

SOC 2 Type II

SOC 2 Type II audit is in progress. The audit covers the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Current controls that form the basis of SOC 2 compliance posture:

• Encryption at rest and in transit
• Role-based access control with authentication logging
• Workspace data isolation
• Configurable data retention and deletion
• Incident management and response procedures
• Vendor (subprocessor) assessment and oversight

When the SOC 2 Type II report is complete, it will be available to customers under NDA on request.

PCI DSS

Instafill does not process, store, or transmit payment card data. All payment processing — credit cards, billing information — is handled exclusively by Stripe, which maintains PCI DSS Level 1 certification (the highest level).

Instafill's interaction with Stripe is limited to subscription status and billing event webhooks — no card data flows through Instafill's systems.

Common Questions