Trust · HIPAA

The BAA.

Available on Professional and Enterprise tiers. PHI handling on free or demo workspaces is not permitted.

Before you upload PHI: a signed Business Associate Agreement must be in place. Use the form below to request one. We will return a countersigned copy within five business days, and we will not accept PHI into a workspace until the BAA is executed on both sides.

What the BAA covers

Felarity acts as a Business Associate when a covered entity, or another business associate acting on behalf of a covered entity, uploads Protected Health Information into a workspace governed by a signed BAA. The agreement sets out permitted uses and disclosures of PHI, the administrative, physical, and technical safeguards we maintain, our breach notification commitment (notice without unreasonable delay and no later than sixty days from discovery), flow-through obligations on any subcontractor that touches PHI, and the return or destruction of PHI at termination of the underlying services agreement.

The BAA is governed by 45 CFR Parts 160 and 164 (the HIPAA Privacy, Security, and Breach Notification Rules) as amended by HITECH. Our standard form is available on request and accommodates customer-specific addenda where required by your compliance office.

Felarity's PHI handling

Workspace flag

PHI-eligible workspaces are flagged at the time of creation. The flag is set by our team once the BAA is fully executed; it cannot be enabled by an end user. When the flag is on, the strict DLP path is enforced on every ingest (audio, transcript, attached document) and outbound LLM call. Any feature that would share workspace content outside the tenant — public verify links to raw transcript content, cross-workspace search, third-party export integrations — is disabled by default on the PHI flag and cannot be toggled on by a non-owner.

Encryption

At rest, audio chunks, transcripts, samples, and report artifacts are encrypted with Fernet using AES-128-CBC + HMAC-SHA256 under a strict-fail policy: if the key is unavailable at write time, the write fails closed. We never silently degrade to plaintext. Keys are managed in a separate KMS path from the application database. In transit, TLS 1.3 is required end to end; older TLS versions are refused at the edge.

Access

Every PHI read writes a full audit row: actor identity, workspace, resource, timestamp, and request origin. Audit rows are written by an INSERT-only database role that has no UPDATE or DELETE privileges, which means historical audit cannot be silently rewritten by an application bug or a compromised application credential. Customer-facing audit export is available on Enterprise.

Retention

Retention windows are configurable per workspace. The defaults on a PHI workspace are thirty days for audio chunks and verbatim transcripts, and one year for generated reports and structured intelligence artifacts. The right-to-delete is a hard delete: a deletion request cascades through audio chunks, transcripts, speaker voice samples, derived diarization, NLI scores, council outputs, and report artifacts, and produces an attested record of completion that you can verify against our public key.

Subcontractors

We currently route no PHI to third-party LLM subprocessors. The council and post-session pipeline run on Felarity-operated inference hardware described on the subprocessors page. Storage and email subprocessors that handle PHI are listed there with their own BAAs in place.

Felarity supports a bring-your-own-key path for customers who want to route specific workloads to their own LLM provider. If you attempt to enable a BYOK provider on a PHI-flagged workspace, the platform will block enablement until you have confirmed, in writing, that you hold a BAA directly with that provider for the workloads you are routing to it. We do not extend our BAA to cover a third-party LLM that we did not select.

Request the BAA

Send the form below and our legal team will respond within five business days with a countersigned BAA and the workspace-flag enablement instructions. If your organization requires us to sign your paper BAA instead of ours, attach it in the use-case field or send to legal@felarity.com.

What we will not do under the BAA

We will not use or disclose PHI for marketing. We will not sell PHI. We will not fold PHI, in any form, into our broader product analytics, model training datasets, or aggregate reporting. We will not honor a request to enable a PHI workspace before the BAA is fully executed on both sides, and we will not retroactively cover PHI that was uploaded outside the scope of a signed BAA.

If you are unsure whether a workload involves PHI, treat it as PHI and request the BAA. We would rather sign one BAA you did not strictly need than allow PHI into an unflagged workspace.

Contact — BAA requests, paper-BAA negotiation, and breach-notification contacts: legal@felarity.com. For security incidents that may involve PHI, also notify security@felarity.com.

Last updated: June 7, 2026