DENTALFLOWDESK // COMPLIANCE
DentalFlowDesk compliance
For dental practice operators. What we ship, what is available on request, and what we explicitly do not claim.
DentalFlowDesk is a HIPAA-aware dental practice management product. The BAA pathway is identical to MedFlow.
Scope of data
What this product processes when you operate it as intended:
- Patient demographics (name, DOB, contact)
- Dental insurance and claim metadata
- Treatment plans and visit notes
- Appointment reminders and outbound messaging
HIPAA + BAA pathway
This product is HIPAA-aware. A signed Business Associate Agreement (BAA) is executed with your practice before any Protected Health Information (PHI) is processed. Until the BAA is signed, the product runs in a no-PHI mode — AI features that would route PHI to large-language-model vendors that lack a BAA are gated off.
- Customer BAA template available — request from sales@brainiacstechsolutions.com.
- Sub-processor BAA status disclosed at /subprocessors and reviewed before any PHI is sent.
- PHI fields (chart notes, claim payloads, ID document images) encrypted at rest with AES-GCM.
- Application-level audit trail of PHI reads/writes with workforce attribution.
- Breach-notification procedure follows 45 CFR §164.404; documented in our internal IR runbook.
- Workforce HIPAA training and access reviews scheduled quarterly.
Dental-practice specifics
Dental-claim and recall workflow notes.
- Recall reminders honor opt-in/opt-out per CTIA messaging guidelines.
- Treatment-plan attachments are stored encrypted; access is logged and tied to staff role.
- Insurance claim payloads are scoped by appointment + provider; no broad-database export.
Access control
Workspace isolation, MFA, and password-reset hygiene apply across all tiers.
- Workspace data scoped by row-level checks; admin operations require an MFA-backed session.
- Engineering production access is hardware-key MFA, ticketed, and logged.
- Account password reset round-trips email + invalidates all prior sessions.
Transport + monitoring
What every customer gets, every product, by default.
- TLS 1.2+ everywhere, HSTS preload-eligible (`max-age=31536000; includeSubDomains; preload`).
- Edge rate-limiting on auth, intake, quote, onboarding, and global write-quotas (caddy-ratelimit).
- Synthetic monitor every 5 minutes; two-strike paging on Telegram + SMS.
PCI-DSS (SAQ-A scope)
Because card data is fully outsourced to Stripe-hosted forms, we are scoped under SAQ-A — the minimum-scope self-assessment questionnaire. We do not maintain a Cardholder Data Environment.
- Card data never touches our servers — we use Stripe Checkout and the Stripe Customer Portal.
- Stripe webhook signatures are HMAC-verified server-side with a per-endpoint signing secret.
- Subscription billing, dunning, refunds, and tax run inside Stripe; we never store full PANs or CVVs.
Privacy + consumer rights
Any individual whose data we process can request access, correction, or deletion at support@brainiacstechsolutions.com. We honor the Global Privacy Control (GPC) signal as a CCPA/CPRA opt-out automatically.
- California (CCPA/CPRA): access, deletion, correction, opt-out of sale/share, limit-use of sensitive PI. We do not sell or share data for cross-context behavioral advertising.
- EU/UK (GDPR/UK-GDPR): access, rectification, erasure, restriction, portability, objection. DPA available at /dpa.
- Breach notification: 45 CFR §164.404 (HIPAA), Cal Civ §1798.82, GDPR Art. 33/34.
- Retention windows disclosed in /privacy.
Accessibility (WCAG 2.1 AA target)
We target WCAG 2.1 AA on all customer-facing surfaces and run an automated axe-core audit on every release. The audit currently passes 0 serious/critical findings across the public marketing pages.
- Skip-to-content link on every page.
- Keyboard-navigable forms with visible focus rings.
- Honors prefers-reduced-motion on transition components.
- Automated axe-core CI gate (bin/audit-a11y.ts) blocks regressions.
What we do not claim or provide
We list these explicitly so there is no ambiguity:
- We are NOT 'HIPAA certified' (no such certification exists).
- We do NOT submit insurance claims directly to clearinghouses; integration is on roadmap.
- We do NOT handle controlled-substance e-prescribing.
Resources
Questions? Email sales@brainiacstechsolutions.com with subject "DentalFlowDeskcompliance". For BAA requests, use subject "BAA request" and include your legal entity name.