Security & Privacy

Sona is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA). The platform implements administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI).

We offer Business Associate Agreements (BAAs) for healthcare providers who use Sona to handle patient communications and scheduling workflows.

All voice calls and text messages processed through Sona are encrypted in transit using industry-standard TLS protocols. Data at rest is protected with AES-256 encryption.

We follow the principle of least privilege — patient data is only accessible to the systems and personnel that require it to deliver the service.

Sona provides role-based access controls so clinics can restrict who can view, modify, or export patient information. Each staff member operates within a defined permission scope.

The system maintains audit logs of key actions to support compliance reviews and internal accountability.

Sona runs on hardened cloud infrastructure with automated patching, network segmentation, and continuous operational monitoring.

We conduct regular vulnerability assessments and follow secure development practices across our engineering team.

Sona has initiated a SOC 2 Type II compliance program. As the platform scales, we are working toward independent audit certification to provide additional assurance to our customers.

Our security practices evolve continuously. If you have questions about our compliance posture or need documentation for your own review process, please reach out.