Compliance
Data Governance & HIPAA Compliance
Audio Fantastic is committed to the highest standards of data security and clinical confidentiality. All patient acoustic data is processed using Google Cloud's healthcare-native infrastructure with Zero-Trust architecture.
Last updated: April 2025
HIPAA-Compliant Infrastructure
Audio Fantastic operates exclusively on Google Cloud Healthcare solutions, which are HIPAA-certified and HITRUST-validated. All Protected Health Information (PHI) is encrypted both in-transit and at-rest using FIPS 140-2 Level 2 compliant cryptography.
Our acoustic embeddings are processed within isolated Vertex AI training pipelines with audit logging and multi-factor authentication controls. No patient identifiable information is retained beyond the analysis period.
Zero-Trust Data Sovereignty
Every acoustic signal undergoes encryption before transmission to our servers. Data never persists in plaintext. Our Gated Cross-Attention models operate on frozen embeddings, meaning the clinical inference engine has no access to raw audio files.
Access to stored data is restricted to authenticated service accounts with role-based access control (RBAC). All access events are logged and monitored for anomalies in real-time.
Consent & Data Retention
Audio Fantastic requires explicit informed consent before processing any acoustic data. Patients retain the right to request deletion of their embeddings at any time. By default, all acoustic data and intermediate embeddings are deleted immediately after clinical analysis is complete.
Research partnerships operate under Data Use Agreements (DUAs) that explicitly govern retention periods, secondary uses, and access controls. All such agreements comply with your institution's IRB requirements.
Security Audits & Compliance
Audio Fantastic undergoes independent SOC 2 Type II audits annually. Our architecture is regularly assessed for vulnerabilities through third-party penetration testing. We maintain a responsible disclosure policy for security researchers.
All employees with access to PHI complete HIPAA training and sign Business Associate Agreements. Our incident response plan is tested quarterly and includes mandatory breach notification procedures in accordance with 45 CFR ยง164.400+.
International Data Protection
For patients and institutions outside the United States, Audio Fantastic complies with GDPR and other regional data protection regulations. Data transfers are governed by Standard Contractual Clauses (SCCs) with explicit adequacy assessments.
All processing instructions and technical safeguards are documented in our Data Protection Impact Assessment (DPIA), which is available to institutional data protection officers upon request.
Questions & Inquiries
If you have questions about our data governance practices, contact our Data Protection Officer at privacy@audio-fantastic.com.
For access requests, deletion requests, or breach notifications, please contact our compliance team at compliance@audio-fantastic.com.