Your patients trust you with their most sensitive information. We built the platform to treat it that way.
Most dental software encrypts your data "in transit and at rest" — which means the disk is encrypted, but anyone with database access sees every patient's name, birth date, and phone number in plain text. We go further: each PHI field is individually encrypted with AES-256-GCM under a key scoped to your practice before it's written. Here's the same patient record, as your team sees it and as it physically exists in our database.
Decrypted on demand, only for authenticated members of your practice.
first_name: null last_name: null date_of_birth: null phone: null email: null encrypted_phi: "eyJlbmNyeXB0ZWQiOnRydWUsImFsZ29yaXRobSI6ImFlcy0yNTYtZ2NtIiwiaXYiOiJJZHRoaExVNlhwU3FaanVSTFdrYkNBPT0iLCJkYXRhIjoiSVdPRW5sQWNrQ3psNVVJdHpvbW12YmkxQnRQOCtUYkhyZ2R1…"
A real row from our database (demo patient). The plaintext columns are null — the record exists only as ciphertext.
Eight layers of defense, built into every form, every record, every request.
Every PHI field is encrypted individually with AES-256-GCM and its own per-record data encryption key. If any one key is ever compromised, only that record is exposed — not your entire database.
We run on AWS with SOC 2 Type II certification and a 99.99% uptime SLA. Multi-region backups with encrypted storage and automatic failover.
Even Intake.Dental administrators cannot access unencrypted patient data. Decryption keys are tenant-scoped and never logged.
Meets and exceeds every PHI technical safeguard with a free executed BAA.
Federal cryptographic standards: 256-bit keys, GCM authentication.
Infrastructure runs on AWS's SOC 2 Type II certified foundation.
Most healthcare software still protects patient data with public-key cryptography that quantum computers are expected to break — and "harvest now, decrypt later" attacks are already stockpiling encrypted records for that day. Intake.Dental encrypts every patient record with the post-quantum encryption engine from TreeChain, so the PHI you store today stays unreadable decades from now.
Instead of one algorithm guarding everything, TreeChain's polyglottal cipher re-expresses your data across multiple independent cipher alphabets. No single key, algorithm, or breakthrough — classical or quantum — unlocks a complete record.
Every sensitive field — names, birthdates, health histories — is individually sealed into an opaque glyph token on top of AES-256-GCM. A stolen database yields nothing but an unreadable glyph stream, field by field.
Every Intake.Dental account ships with dual-layer Glyph encryption. The Extra Security add-on goes further — it locks the database itself so data is unreadable even if an attacker gets physical access to the raw files.
Dual-layer field-level encryption on every piece of Protected Health Information — included at no extra cost on every plan.
Every request — API, dashboard, form submission — is served over TLS 1.3 with HSTS enforcement and HTTPS-only delivery.
Every data access, modification, and administrative action is logged with timestamp, IP, and user-agent. Logs are append-only and exportable for your own compliance audits.
Automated anomaly detection on the database, API, and storage layers. Our on-call rotation investigates every alert.
Multi-factor authentication on every account. Role-based access control so hygienists, front desk, and doctors each see only the data their role requires.
Every account ships with our proprietary polyglottal Glyph Cipher on top of AES-256-GCM — two encryption layers by default, engineered to remain safe against future quantum attacks.
Stored PHI is never wrapped in the RSA/ECC public-key cryptography that Shor's algorithm threatens. The symmetric-first, 256-bit design keeps full strength against quantum search attacks — the same reason NIST rates AES-256 safe in a post-quantum world.
Encryption technology by TreeChain — read the technical deep-dive at treechain.ai
This is not an upgrade — it is the baseline. Every practice gets both encryption layers from day one.
Adds Transparent Data Encryption (TDE) to the database layer itself. If a hacker gains access to the raw database files, they still can't read a single byte.
Think of it this way: Standard Security encrypts every patient record individually. Extra Security also encrypts the entire vault those records sit in.
Our team will walk your IT lead or compliance officer through our controls, sub-processors, and BAA.