Security & Compliance
5 Dec 2025
Healthcare-Grade Security for Clinical AI
Burna AI is built with healthcare-first architecture, designed for HIPAA compliance from day one. Our CTCAE AI platform processes clinical data through enterprise-grade infrastructure with comprehensive security controls.
HIPAA Compliance
Our Commitment
Burna AI is designed to meet HIPAA Security Rule requirements for covered entities and business associates. We implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI).
Business Associate Agreements
We execute Business Associate Agreements (BAAs) with all customers and maintain BAAs with our infrastructure providers:
Microsoft Azure (Speech Services) — BAA in place, HITRUST certified
Cloudflare (Network Security) — BAA available, SOC 2 Type II certified
Convex (Database Infrastructure) — SOC 2 Type II certified
Technical Safeguards
Safeguard | Implementation |
|---|---|
Encryption in Transit | TLS 1.3 for all data transmission |
Encryption at Rest | AES-256 encryption for stored data |
Access Controls | Role-based access with unique user identification |
Audit Logging | Complete audit trails for all data access and modifications |
Authentication | Multi-factor authentication available for all accounts |
Session Management | Automatic session timeout after inactivity |
Administrative Safeguards
Designated security officer responsible for HIPAA compliance
Workforce security training and access management procedures
Incident response procedures with defined escalation paths
Regular security assessments and vulnerability testing
Physical Safeguards
Our infrastructure runs on Microsoft Azure's U.S.-based data centers, which maintain:
SOC 2 Type II certification
HITRUST CSF certification
ISO 27001 certification
Physical access controls and 24/7 monitoring
Data Processing
Audio Input — Voice recordings transmitted via TLS 1.3 encrypted channels
Transcription — Audio processed by Azure Speech Services (HIPAA-eligible, BAA in place)
AI Analysis — Transcribed text analyzed for CTCAE grading with clinical context
Storage — Results stored in encrypted database with access controls
Output — CTCAE grades delivered with full audit logging
What We Do NOT Do
We do not sell or share patient data with third parties
We do not use patient data for advertising
We do not retain audio recordings longer than necessary for processing
We do not process data outside of BAA-covered infrastructure
SOC 2 Compliance
Current Status
Burna AI is building toward SOC 2 Type II certification. Our infrastructure providers maintain current SOC 2 Type II certifications:
Provider | Certification | Scope |
|---|---|---|
Microsoft Azure | SOC 2 Type II | Cloud infrastructure, speech services |
Cloudflare | SOC 2 Type II | Network security, DDoS protection |
Convex | SOC 2 Type II | Database infrastructure |
Trust Service Criteria
We implement controls aligned with SOC 2 Trust Service Criteria:
Security
Network security via Cloudflare (WAF, DDoS protection)
Encryption for data at rest and in transit
Vulnerability management and security monitoring
Availability
99.9% uptime target
Redundant infrastructure across availability zones
Incident response and disaster recovery procedures
Confidentiality
Role-based access controls
Data classification and handling procedures
Secure data disposal processes
Privacy
Privacy policy published and accessible
Data subject rights procedures (see GDPR section)
Consent management for data processing
Requesting Verification
To request documentation of our security controls or our vendors' SOC 2 reports, contact: contact@burna.ai
GDPR Compliance
Applicability
If you are located in the European Economic Area (EEA) or process data of EEA residents, this section applies to your use of Burna AI.
Legal Basis for Processing
We process personal data under the following legal bases:
Purpose | Legal Basis |
|---|---|
Providing CTCAE AI services | Performance of contract |
Account management | Performance of contract |
Security and fraud prevention | Legitimate interest |
Legal compliance | Legal obligation |
Product improvement (anonymized) | Legitimate interest |
Your Rights
Under GDPR, you have the right to:
Access — Request a copy of your personal data
Rectification — Correct inaccurate personal data
Erasure — Request deletion of your personal data ("right to be forgotten")
Restriction — Limit how we process your data
Portability — Receive your data in a structured, machine-readable format
Object — Object to processing based on legitimate interest
Withdraw Consent — Where processing is based on consent
To exercise these rights, contact: contact@burna.ai
We will respond to requests within 30 days.
International Data Transfers
Burna AI processes data in the United States. For transfers of personal data from the EEA to the U.S., we rely on:
Standard Contractual Clauses (SCCs) — EU-approved contractual safeguards
Data Processing Agreements — With all sub-processors
Our infrastructure providers maintain their own transfer mechanisms:
Microsoft Azure: EU Data Boundary available, SCCs
Cloudflare: SCCs, Data Processing Addendum
Convex: SCCs available upon request
Data Processing Agreement
Enterprise customers can request a Data Processing Agreement (DPA) that includes Standard Contractual Clauses. Contact: contact@burna.ai
Data Retention
Data Type | Retention Period |
|---|---|
Account information | Duration of account + 30 days |
Audio recordings | Deleted after processing (typically < 24 hours) |
CTCAE grading results | As configured by customer, default 7 years |
Audit logs | 3 years |
Sub-Processors
We use the following sub-processors for data processing:
Sub-Processor | Purpose | Location |
|---|---|---|
Microsoft Azure | Transcription, cloud infrastructure | United States |
Cloudflare | Network security, CDN | United States (global edge) |
Convex | Database services | United States |
We will notify customers of any changes to sub-processors with 30 days notice.
Data Security Practices
Encryption
In Transit: TLS 1.3 for all API communications
At Rest: AES-256 encryption for all stored data
Key Management: Keys managed through provider-native solutions with regular rotation
Network Security
Web Application Firewall (Cloudflare)
DDoS protection (Cloudflare)
Rate limiting on all API endpoints
IP allowlisting available for enterprise customers
Application Security
Secure development practices
Dependency vulnerability scanning
Regular security testing
Input validation and output encoding
Incident Response
In the event of a security incident:
Detection — Automated monitoring and alerting
Containment — Immediate isolation of affected systems
Investigation — Root cause analysis and impact assessment
Notification — Affected customers notified within 72 hours (24 hours for HIPAA breaches)
Remediation — Corrective actions implemented and documented
Account Deletion
You can delete your account at any time:
Navigate to Settings > Account > Delete Account in the app
Confirm deletion
All personal data will be permanently deleted within 30 days
For enterprise accounts or assistance with deletion, contact: contact@burna.ai
Contact
For all security, privacy, compliance, or general inquiries: contact@burna.ai
Updates to This Policy
Last updated: January 2026
We may update this policy periodically. Material changes will be communicated via email to registered users.
Burna AI, Inc. is committed to protecting patient data and maintaining the trust of healthcare providers. Questions about our security practices? Contact contact@burna.ai