Privacy Policy

Sanolith provides a HIPAA-aligned LLM workspace for healthcare teams. Privacy is the most load-bearing part of the product. This policy explains what we collect, how we handle it, who can touch it, how long we keep it, and the rights you and your patients have. Technical detail for each control is documented on our security page.

Who this policy covers

Sanolith is a business-to-business product. Our direct customers are healthcare organizations ("tenants"). When a tenant uses Sanolith to process PHI, the tenant is the HIPAA Covered Entity (or Business Associate) and Sanolith acts as its Business Associate or subcontractor under a signed BAA. Patient data is handled on the tenant's behalf and under the tenant's direction.

What we collect

• Account data. Email, authentication identifiers (we use Keycloak / OIDC SSO), display name, organization, and role. Passwords are never stored in cleartext.
• Tenant content. Documents you upload, prompts you send, chat history, and retrieval (RAG) indexes built from your documents. This content is stored inside your tenant boundary and is never used to train shared or cross-tenant models.
• Protected Health Information (PHI). Any PHI in a prompt is redacted by a fail-closed redactor before it reaches the inference layer. The model sees [REDACTED] placeholders, not the underlying identifiers. If the redactor fails, the request fails — PHI does not pass through under any failure mode.
• Audit metadata. Event type, timestamp, model called, tool calls, and redaction counts. This metadata excludes the contents of your prompts and documents.
• Operational logs. Standard application and infrastructure telemetry. Logs are scrubbed of PHI before they reach our monitoring sub-processor.

How we use it

We use account data to operate your workspace and authenticate users; tenant content to deliver the features you invoke (chat, retrieval, clinical tool calls, per-tenant fine-tuning); and audit metadata to give you a tamper-evident record for compliance. We do not sell tenant data, and we do not use your tenant content to train models for other customers.

Where it is stored and how it is protected

Tenant content lives on encrypted volumes (AES-256 at rest) inside the Sanolith cluster. Traffic to and from the platform is encrypted with TLS 1.3. Tenants are isolated at the database (Postgres row-level security), storage (per-tenant prefixes and IAM scoping), and network layers. We do not transmit your tenant data to a third-party model provider unless you explicitly opt in to a hosted model on a tier where that provider is covered by a BAA. See /security for the full encryption, isolation, and access-control detail.

Sub-processors

Sanolith uses a small, deliberately curated set of sub-processors, each under a signed BAA where PHI is in scope (cloud infrastructure, frontier model inference on customer opt-in, secrets storage, monitoring with PHI log-scrubbing, and transactional email). Customers receive 30 days' notice before a new sub-processor handling tenant data is added. The current list and BAA status are published on our security page; subscribe there for change notifications.

Retention

• Tenant content. Retained while your account is active. On account deletion, prompts and documents are erased within 30 days.
• Audit ledger. Retained for 7 years by default to satisfy CMS / HIPAA recordkeeping expectations. Enterprise tenants can configure a longer retention period.
• Backups. Encrypted daily snapshots are retained for 35 days for disaster recovery, then rotated out.
• On termination. A full export is delivered within 30 days; all tenant data is purged from production and backups within 60 days, per the BAA. A certified destruction report is available on request.

Patient and individual rights

Where Sanolith processes PHI, the tenant (Covered Entity) is responsible for responding to patient requests for access, amendment, accounting of disclosures, and restrictions under 45 CFR Part 164. Sanolith supports the tenant in fulfilling those requests: tenant admins can export or delete tenant content and export the audit ledger directly from the portal, without vendor mediation. If you are a patient, contact your provider (the tenant) to exercise your rights; we act on their direction.

Security incidents

We maintain a documented incident-response program: a 60-minute initial-assessment target for suspected security events and a 4-hour customer-notification target for a confirmed PHI breach, consistent with the timelines in your BAA and applicable breach- notification rules. Report a concern to [email protected].

Changes to this policy

We will post material changes here and, where a change affects PHI handling, notify tenant admins. The "last updated" date at the top reflects the current version.

Contact

Privacy questions: [email protected]. Security questions: [email protected].