Compliance & Certifications

HIPAA-eligible architecture, GDPR-ready data processing, ISO 27001 in progress

Overview

Instafill.ai is used by healthcare organizations, law firms, financial institutions, and government contractors - industries where compliance is not optional. This page documents the regulatory frameworks Instafill.ai supports, the specific controls that enable regulated-industry deployments, and what customers need to do on their end to maintain compliance.

Current certification and compliance status:

• ISO 27001 - In progress
• HIPAA - BAA-eligible architecture; BAA available on request
• GDPR - Data processor obligations met; DPA available on request
• SOC 2 Type II - In progress
• PCI DSS - Payment data handled exclusively by Stripe (Level 1 certified)

HIPAA

Can I use Instafill.ai with patient health information (PHI)?

Yes, with a signed Business Associate Agreement (BAA). Instafill's architecture implements the technical safeguards required by the HIPAA Security Rule, and Instafill.ai will execute a BAA with covered entities and business associates.

For example, a teleradiology practice used Instafill.ai to automate hospital credentialing packets for radiologists across multiple facilities - a workflow involving physician data including licensure, malpractice history, and professional references.

Technical Safeguards Implemented

Access Controls (SS 164.312(a)(1))

• Unique user authentication via email/password or OAuth (Google, Microsoft)
• Role-based access control within workspaces
• API key authentication for programmatic access, workspace-scoped
• Two-factor authentication (2FA) available and enforceable org-wide

Audit Controls (SS 164.312(b))

• All API requests logged with user ID, workspace ID, IP address, and timestamp
• Authentication events (login, logout, 2FA) logged
• Access to systems, APIs, and data processing activities is logged with timestamped details including origin, action type, and access level

Integrity Controls (SS 164.312(c)(1))

• AES-256 encryption at rest - source text and file content encrypted before storage
• TLS in transit - all API calls and file transfers over HTTPS
• Filled PDFs stored encrypted in Azure Blob Storage; field values stored encrypted in MongoDB
• Azure Key Vault manages workspace-scoped encryption keys with access logging

Transmission Security (SS 164.312(e)(1))

• All data in transit encrypted via TLS/HTTPS
• AI API calls made server-to-server over HTTPS
• No PHI transmitted via unencrypted channels

Minimum Necessary / Data Minimization

• Stateless Mode deletes all source content (including PHI) immediately after session completion - no post-session PHI retention in Instafill.ai systems
• Configurable retention policies allow organizations to set maximum PHI retention windows

AI Providers and PHI

When using Instafill.ai to fill forms from PHI source documents (patient records, insurance cards, clinical notes), extracted text from those documents is sent to AI providers for field mapping. This is the primary HIPAA consideration for Instafill.ai usage.

For a full breakdown of what is sent to AI providers, what stays local, and how the data pipeline works, see How Instafill.ai Uses AI Models and Handles Your Data.

Deployment options for HIPAA use cases:

• Azure OpenAI deployment - Instafill.ai can process AI filling through Microsoft Azure OpenAI rather than the default OpenAI API, keeping data processing within Microsoft Azure's infrastructure
• Stateless Mode - Source content (including PHI) is deleted immediately after the fill completes, minimizing retention
• Contact Instafill.ai sales to discuss the appropriate AI provider configuration for your HIPAA requirements

GDPR

Data Controller vs. Processor

Under GDPR:

• Your organization is the data controller - you determine what personal data is processed, for what purpose, and under what legal basis
• Instafill.ai is the data processor - we process personal data on your behalf, under your instructions
• Instafill's vendors (Azure, MongoDB, OpenAI, etc.) are subprocessors - see Third-Party Subprocessors & Vendors for the full list

GDPR Controls Implemented

Article 25 - Data Protection by Design and Default

• Workspace isolation ensures personal data is not accessible outside the organization that uploaded it
• Minimum data collection: Instafill.ai collects only what is necessary to provide the form-filling service
• Stateless Mode supports data minimization by design - zero post-session retention when enabled

Article 17 - Right to Erasure ("Right to be Forgotten")

• Account deletion triggers a complete data purge: user records, sessions, profiles, and associated files are removed across the database and file storage
• Session-level deletion is available - individual session data including source files and filled PDFs
• Cleanup policies support automatic deletion after a configurable retention period

Article 28 - Subprocessor Obligations

• Instafill.ai maintains a full vendor list documenting every service that may process data on Instafill's behalf
• DPA is available documenting Instafill's obligations as a processor and all subprocessors
• Subprocessor changes will be communicated with reasonable notice to customers with active DPAs

Article 32 - Security of Processing

• AES-256 encryption at rest; TLS in transit
• Role-based access control and permissions
• Audit logging for data access and deletion operations
• Regular security review of the processing pipeline

Article 33 - Breach Notification

• Security incidents that affect customer data or service availability will be notified to impacted customers promptly. Instafill's stated SLA for customer notification is 24 hours from detection.

Data Transfers Outside the EU

Instafill's primary infrastructure runs in Microsoft Azure (region configurable). AI processing uses OpenAI (US-based) and optionally Azure OpenAI (EU region available). For EU customers with data residency requirements:

• Azure infrastructure can be configured for EU regions
• Azure OpenAI with EU region deployment is available for AI processing
• Contact sales to discuss EU-region-only deployments

How to Get a DPA

Data Processing Agreements are available for customers who require them for GDPR compliance. Contact our team.

ISO 27001

Instafill.ai is pursuing ISO/IEC 27001 certification - the international standard for information security management systems (ISMS). The controls being implemented and assessed cover:

• Systematic management of information security risks
• Security policies and procedures
• Asset management and access control
• Physical and environmental security
• Supplier relationships and subprocessor management
• Incident management
• Business continuity

When the certification is achieved, it will be noted here and available to customers on request.

SOC 2 Type II

SOC 2 Type II audit is in progress. The audit covers the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Current controls that form the basis of the SOC 2 compliance posture:

• Encryption at rest and in transit
• Role-based access control with authentication logging
• Workspace data isolation
• Configurable data retention and deletion
• Incident management and response procedures
• Vendor (subprocessor) assessment and oversight

When the SOC 2 Type II report is complete, it will be available to customers on request.

PCI DSS

Instafill.ai does not process, store, or transmit payment card data. All payment processing - credit cards, billing information - is handled exclusively by Stripe, which maintains PCI DSS Level 1 certification (the highest level). No card data flows through Instafill's systems.

Common Questions

Compliance questions or BAA/DPA requests? Contact our team