Lesson 6.5 — Security & Compliance

What You'll Learn

• How to set up two-factor authentication (2FA)
• DeepCura's HIPAA compliance framework
• What the BAA covers and where to access it
• PIPEDA compliance for Canadian practices
• How encryption and data protection work

Two-Factor Authentication (2FA)

Two-factor authentication adds a critical layer of security to your DeepCura account. When enabled, logging in requires both your password and a time-based code from an authenticator app on your phone.

Navigate to: Sidebar → Settings → Profile Settings → Security tab

Step 2: Enable 2FA in your account

1. Go to Settings > Profile Settings.

2. Scroll down until you see Set up 2-Factor Authentication.

3. When prompted, open your authenticator app and either:

• Scan the QR code displayed on your screen, or
• Enter the setup key manually (shown in your account).

Once enabled, every login attempt requires the time-based code in addition to your password. We strongly recommend enabling 2FA for all team members, especially those with admin privileges.

HIPAA Compliance Framework

DeepCura is designed from the ground up to support HIPAA compliance. The platform addresses the three key HIPAA safeguard categories:

Technical Safeguards

• Encryption in transit — All data transmitted between your browser and DeepCura servers is encrypted using TLS (Transport Layer Security).
• Encryption at rest — All stored data is encrypted using AES-256 on AWS infrastructure.
• Access controls — Role-based permissions limit access to PHI based on user role and department membership.
• Audit controls — Key actions are logged for compliance review, including attestation signing, permission changes, and data access events.

Administrative Safeguards

• Business Associate Agreement — Available in Settings > Legal for all covered entities.
• Workforce access management — The department and permission system ensures appropriate access levels.
• Security awareness training — This Help Center serves as a training resource for proper platform usage.

Physical Safeguards

• AWS data centers — All data is hosted on AWS infrastructure, which maintains SOC 2, ISO 27001, and HIPAA compliance certifications.
• No local storage of PHI — Audio is processed in real time via streaming and is not stored on your device.

Business Associate Agreement (BAA)

The BAA is a legally binding document between DeepCura and your practice that establishes:

• How DeepCura handles, stores, and protects PHI
• DeepCura's obligations for breach notification
• Permitted uses and disclosures of PHI
• Data retention and disposal procedures

Access the full BAA from Settings > Legal. We recommend downloading and storing a copy for your compliance records.

PIPEDA Compliance

For practices in Canada, DeepCura supports compliance with PIPEDA, which governs the collection, use, and disclosure of personal health information. The same technical infrastructure that supports HIPAA — encryption, access controls, audit logging — also satisfies PIPEDA's ten fair information principles.

Patient Data Protection

DeepCura implements several layers of patient data protection:

• No permanent audio storage by default — Audio is streamed for transcription and discarded. You can optionally enable backup storage from Automation Settings.
• Recording disclaimer — An automated audio disclaimer plays before each recording session to inform participants. This can be disabled only after signing a legal attestation.
• Data isolation — Each practice's data is logically isolated in the database. Team members can only access data within their workspace.
• Secure deletion — When you delete a note or recording, it is permanently removed from all storage systems.

Quick Tips

• Enable 2FA for all team members — it is the single most impactful security action you can take.
• Review the BAA in Settings > Legal before onboarding patients.
• Periodically review team member permissions to ensure the principle of least privilege is maintained.

Next Steps

Continue to Lesson 6.6 — Language & Localization