0 data breaches ever

Built with care for dental practices.

AES-256-GCM encryption

SOC 2 infrastructure

Nine HIPAA safeguards — all exceeded

HIPAA's Security Rule lays out specific technical and administrative safeguards covered entities and their business associates must implement. Here is how Intake.Dental meets each one — and where we exceed.

Encryption at Rest

Exceeded

Per-record AES-256-GCM with envelope-encrypted data encryption keys. Our Glyph Cipher applies a second polyglottal layer on top — included on every account.

Encryption in Transit

Exceeded

TLS 1.3 with HSTS enforcement across every endpoint and HTTPS-only delivery.

Audit Controls

Exceeded

Comprehensive append-only logging of every data access, modification, and administrative action — with IP and user-agent tracking.

Access Controls

Exceeded

Layer 1: AES-256-GCM

Field-level encryption with per-record Data Encryption Keys for forward secrecy. Envelope encryption via a central Key API with tenant isolation via Additional Authenticated Data. HMAC integrity verification and 128-bit IV / auth tags per record.

Layer 2: Glyph Cipher (included)

Every account ships with our proprietary polyglottal cipher applied on top of AES. The resulting glyph strings resist frequency analysis and are engineered to remain safe against future quantum attacks.

Business Associate Agreement — included free

Every practice that registers on Intake.Dental automatically receives an executed BAA at no additional cost. It covers digital forms, PDF storage, teledentistry, PMS integration, insurance verification, and patient communications. The platform is operated by Dental Education, Inc., and parallel BAAs are maintained with every sub-processor.

Breach notification within 72 hours

If a confirmed security incident affects your practice, you will receive a detailed incident report and immediate remediation plan within 72 hours — not 60 days, not "when we finish our investigation."

Doctor e-signatures on every health history

State dental boards and malpractice carriers treat the dentist's signature on a patient health history as standard of care — Michigan codifies it in R 338.11120, California enforces it through CDA guidance, and most other states expect it through board rules or carrier contracts. Intake.Dental applies the doctor's e-signature to every completed intake with a cryptographic timestamp and audit trail, so the compliance box is checked before it ever becomes a question.

See how doctor e-signatures work →

Frequently asked questions

Do you sign a Business Associate Agreement?

Yes — every practice that registers on Intake.Dental automatically receives an executed BAA at no additional cost. The BAA covers digital forms, PDF storage, teledentistry, PMS integration, insurance verification, and patient communications. We also maintain parallel BAAs with every sub-processor we use.

What encryption do you use for PHI?

All Protected Health Information is double-encrypted by default: first at the field level using AES-256-GCM with per-record Data Encryption Keys (DEKs) for forward secrecy, then wrapped in our proprietary Glyph Cipher — a polyglottal layer resistant to future quantum attacks. Both layers are included on every account. Keys use envelope encryption with tenant-isolated derivation.

What happens if there is a security incident?

We notify affected practices within 72 hours of a confirmed security incident with a detailed report and remediation plan. Because every account ships with dual-layer encryption (AES-256-GCM + Glyph Cipher), your records may qualify for the HIPAA Breach Notification Rule's encryption safe harbor exception under 45 CFR § 164.402 — but we notify regardless. Transparency over loopholes.

Is your infrastructure certified?

We run on AWS infrastructure that is SOC 2 Type II certified. Our database layer (Supabase) is also SOC 2 Type II. Our own application code is designed around HIPAA's Security Rule and audited on an ongoing basis.

Are HIPAA consent forms available in other languages?

Yes — HIPAA consent documents and Notices of Privacy Practices are available in 29+ languages automatically, so every patient can acknowledge in the language they actually read.

Role-based access control (RBAC), unique user IDs per staff member, automatic session timeout, and MFA.

Practice Isolation

Exceeded

Dedicated subdomains, tenant-specific encryption keys, and application-layer tenant filtering on every query.

Integrity Controls

Exceeded

HMAC verification and authenticated encryption (GCM mode) on every PHI record.

Business Associate Agreement

Active

Executed with every practice at no additional cost. Parallel BAAs maintained with AWS, Supabase, and every sub-processor.

Data Disposal

Exceeded

Secure deletion on request with deletion certificates. Encrypted backups purged within 90 days of tenant termination.

Key Management

Exceeded

Per-record DEKs with envelope encryption and tenant-isolated key derivation.

HIPAA Compliance

Security that exceeds every standard

Every Intake.Dental account ships with an executed BAA, field-level AES-256-GCM encryption, SOC 2 infrastructure, and 9 HIPAA safeguards — all exceeded, not merely met.

Questions about HIPAA or your BAA?

Reach out to our compliance team and we'll walk you through the specifics for your practice.

Get Started Free Book a Demo Call

AES-256-GCM field-level encryption, audit logging, access controls, and infrastructure posture.

Compliance

Legal

Nine HIPAA safeguards — all exceeded

Layer 1: AES-256-GCM

Layer 2: Glyph Cipher (included)

Business Associate Agreement — included free

Breach notification within 72 hours

Doctor e-signatures on every health history

Frequently asked questions

Do you sign a Business Associate Agreement?

What encryption do you use for PHI?

What happens if there is a security incident?

Is your infrastructure certified?

Are HIPAA consent forms available in other languages?

Security that exceeds every standard

Questions about HIPAA or your BAA?

Recent HIPAA penalty cases