Security & HIPAA

Last updated: April 2026

Zally AI handles Protected Health Information on behalf of medical practices. Security is not an add-on — it is built into every layer of how we process, transmit, and store data.

HIPAA Business Associate Agreement

We sign a Business Associate Agreement (BAA) with every customer before any patient data is processed. No exceptions. The BAA defines our responsibilities for safeguarding PHI and outlines breach notification procedures as required by HIPAA.

How Your Data Flows

Zally processes faxes in three steps. Patient data never leaves HIPAA-compliant infrastructure.

1. Fax arrives in DrChrono — Zally reads the fax directly from your DrChrono account. The original document stays in DrChrono at all times.
2. AI classifies and extracts data — The document is processed using HIPAA-compliant AI infrastructure covered under a signed BAA. Your data is never used to train AI models.
3. Filed into DrChrono — Zally attaches the document to the correct patient chart, creates tasks, and routes to the right staff member. Everything lands back in DrChrono where it belongs.

Data Protection

• Encrypted in transit: All data transmitted via HTTPS/TLS between Zally and our processing infrastructure.
• Encrypted at rest: All stored data is encrypted using server-side encryption.
• No PHI in logs: Patient data and document text are never written to application logs. Only anonymized processing metadata (document type, timestamps) is logged.
• Data stays in the United States: All processing occurs within US-based data centers.
• No copies stored outside DrChrono: Fax documents are processed in memory and filed directly to your DrChrono account. We do not retain copies.

Access Controls

• Multi-factor authentication (MFA) on all systems that access PHI, consistent with the 2025 HIPAA Security Rule update.
• Zally operates within your existing DrChrono account permissions. No superuser access or admin privileges are required.
• Access to infrastructure is restricted to key personnel with role-based policies.

What We Do Not Do

• We do not sell, share, or transfer patient data to third parties.
• We do not use your data to train AI models.
• We do not store copies of fax documents outside of DrChrono.
• We do not require access to your full EHR database — only the fax inbox and patient search.

Frequently Asked Questions

Is my data used to train AI?

No. Your data is processed and discarded — it is never retained by the AI provider or used for model training.

Where is my data stored?

Fax documents remain in your DrChrono account. AI processing happens on HIPAA-compliant infrastructure within the United States. We do not store patient data outside of DrChrono.

Can I get a BAA?

Yes. A signed BAA is included with every Zally AI subscription at no additional cost. We execute the BAA before any patient data is processed.

Do you have SOC 2 certification?

SOC 2 Type 2 certification is on our roadmap. In the meantime, we provide a signed BAA, HIPAA-compliant infrastructure, and full transparency into our security practices.

What happens if there is a security incident?

We follow HIPAA breach notification requirements. Affected covered entities are notified within the timeframes specified in the BAA and applicable regulations. We maintain an incident response process covering detection, containment, notification, and remediation.