Security & Compliance
5 Dec 2025
Healthcare-Grade Security for Clinical AI
Burna AI is built with healthcare-first architecture, designed for HIPAA compliance from day one. Our CTCAE AI platform processes clinical data through enterprise-grade infrastructure with comprehensive security controls.
HIPAA Compliance
Our Commitment
Burna AI is designed to meet HIPAA Security Rule requirements for covered entities and business associates. We implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI).
Business Associate Agreements
We execute Business Associate Agreements (BAAs) with all customers and maintain BAAs with our infrastructure providers:
- Microsoft Azure (Speech Services) : BAA in place, HITRUST certified
- Cloudflare (Network Security) : BAA available, SOC 2 Type II certified
- Convex (Database Infrastructure) : SOC 2 Type II certified
Technical Safeguards
Encryption in Transit
TLS 1.3 for all data transmission
Encryption at Rest
AES-256 encryption for stored data
Access Controls
Role-based access with unique user identification
Audit Logging
Complete audit trails for all data access and modifications
Authentication
Multi-factor authentication available for all accounts
Session Management
Automatic session timeout after inactivity
Administrative Safeguards
- Designated security officer responsible for HIPAA compliance
- Workforce security training and access management procedures
- Incident response procedures with defined escalation paths
- Regular security assessments and vulnerability testing
Physical Safeguards
Our infrastructure runs on Microsoft Azure's U.S.-based data centers, which maintain:
- SOC 2 Type II certification
- HITRUST CSF certification
- ISO 27001 certification
- Physical access controls and 24/7 monitoring
Data Processing
Audio Input
Voice recordings transmitted via TLS 1.3 encrypted channels
Transcription
Audio processed by Azure Speech Services (HIPAA-eligible, BAA in place)
AI Analysis
Transcribed text analyzed for CTCAE grading with clinical context
Storage
Results stored in encrypted database with access controls
Output
CTCAE grades delivered with full audit logging
What We Do NOT Do
- ✕We do not sell or share patient data with third parties
- ✕We do not use patient data for advertising
- ✕We do not retain audio recordings longer than necessary for processing
- ✕We do not process data outside of BAA-covered infrastructure
SOC 2 Compliance
Current Status
Burna AI is building toward SOC 2 Type II certification. Our infrastructure providers maintain current SOC 2 Type II certifications:
Microsoft Azure
Cloudflare
Convex
Trust Service Criteria
We implement controls aligned with SOC 2 Trust Service Criteria:
- Security: Network security via Cloudflare, Encryption, Vulnerability management.
- Availability: 99.9% uptime target, Redundant infrastructure, Disaster recovery.
- Confidentiality: Role-based access controls, Data classification, Secure data disposal.
- Privacy: Policy published, Data subject rights procedures, Consent management.
Requesting Verification
To request documentation of our security controls or our vendors' SOC 2 reports, contact: contact@burna.ai
GDPR Compliance
Applicability
If you are located in the European Economic Area (EEA) or process data of EEA residents, this section applies to your use of Burna AI.
Legal Basis for Processing
Providing CTCAE AI services
Performance of contract
Account management
Performance of contract
Security and fraud prevention
Legitimate interest
Legal compliance
Legal obligation
Product improvement (anonymized)
Legitimate interest
Your Rights
Under GDPR, you have the right to:
- Access : Request a copy of your personal data
- Rectification : Correct inaccurate personal data
- Erasure : Request deletion of your personal data ("right to be forgotten")
- Restriction : Limit how we process your data
- Portability : Receive your data in a structured, machine-readable format
- Object : Object to processing based on legitimate interest
- Withdraw Consent : Where processing is based on consent
To exercise these rights, contact: contact@burna.ai. We will respond to requests within 30 days.
International Data Transfers
Burna AI processes data in the United States. For transfers of personal data from the EEA to the U.S., we rely on Standard Contractual Clauses (SCCs) and Data Processing Agreements with all sub-processors.
Data Processing Agreement
Enterprise customers can request a Data Processing Agreement (DPA) that includes Standard Contractual Clauses. Contact: contact@burna.ai
Data Retention
Account information
Duration of account + 30 days
Audio recordings
Deleted after processing (typically < 24 hours)
CTCAE grading results
As configured by customer, default 7 years
Audit logs
3 years
Sub-Processors
Microsoft Azure
Transcription, cloud infrastructure (US)
Cloudflare
Network security, CDN (US/Global)
Convex
Database services (US)
We will notify customers of any changes to sub-processors with 30 days notice.
Data Security Practices
Encryption
- In Transit: TLS 1.3 for all API communications
- At Rest: AES-256 encryption for all stored data
- Key Management: Keys managed through provider-native solutions with regular rotation
Network Security
- Web Application Firewall (Cloudflare)
- DDoS protection (Cloudflare)
- Rate limiting on all API endpoints
- IP allowlisting available for enterprise customers
Application Security
- Secure development practices
- Dependency vulnerability scanning
- Regular security testing
- Input validation and output encoding
Incident Response
- Detection: Automated monitoring and alerting
- Containment: Immediate isolation of affected systems
- Investigation: Root cause analysis and impact assessment
- Notification: Affected customers notified within 72 hours (24 hours for HIPAA breaches)
- Remediation: Corrective actions implemented and documented
Account Deletion
You can delete your account at any time:
- Navigate to Settings > Account > Delete Account in the app
- Confirm deletion
- All personal data will be permanently deleted within 30 days
For enterprise accounts or assistance with deletion, contact: contact@burna.ai
Contact
For all security, privacy, compliance, or general inquiries: contact@burna.ai
Updates to This Policy
Last updated: January 2026. We may update this policy periodically. Material changes will be communicated via email to registered users.
Burna AI, Inc. is committed to protecting patient data and maintaining the trust of healthcare providers. Questions about our security practices? Contact contact@burna.ai
Toxicity doesn't wait
for documentation.
Grade adverse events the moment they surface
with AI built for oncology.