Security at Xylar
Xylar handles protected health information (PHI) for independent clinics across physical therapy, mental health, and primary care. Security, privacy, and compliance are core product concerns, not afterthoughts. This page summarizes our current posture and what's in progress.
Xylar is not a crisis response service. In an emergency, patients should call or text 988, or 911 for a medical emergency.
HIPAA-aware infrastructure
- BAA available for pilot customers. Xylar runs on HIPAA-aware infrastructure and we sign a Business Associate Agreement before any production PHI flows.
- HIPAA-eligible cloud. Xylar runs on AWS HIPAA-eligible services. All PHI is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Append-only audit trail. Every access to PHI is logged with user, action, resource, and timestamp. Logs are append-only and exportable on request.
- Tenant isolation. Each clinic's data is logically isolated per account. Multi-location practices get per-location isolation under a single parent account.
- Least-privilege access. Engineers do not routinely access PHI. Production access is gated, auditable, and justified in writing.
42 CFR Part 2 (SUD treatment records)
Several of the verticals we serve also treat substance-use disorder (SUD) patients, whose records are governed by 42 CFR Part 2 in addition to HIPAA. Xylar is being designed to accommodate Part 2 requirements, including stricter consent handling, redisclosure constraints, and dedicated audit markers for Part 2 records. If your practice is subject to Part 2, tell us during onboarding and we'll walk through your specific requirements before go-live.
SOC 2
SOC 2 Type 1 in progress for 2026. We are actively working toward a SOC 2 Type 1 report and will pursue Type 2 once the Type 1 is complete. If your security review requires current evidence (policy documents, subprocessor list, questionnaire responses), we can share them under NDA. Email support@xylarhealth.com.
Subprocessors
Xylar uses a small number of subprocessors, each of which has a BAA in place where PHI is in scope. The current list is available on request and is kept short by design. Categories:
- Cloud infrastructure: AWS (HIPAA-eligible services only for PHI).
- Telephony & SMS: HIPAA-eligible carrier partners for call answering, voicemail, and patient SMS.
- AI / voice models: HIPAA-eligible providers with BAAs in place for the voice receptionist, transcription, and intent classification. PHI is not used for model training.
- EHR integrations: reads from and writes to the customer's EHR account under the customer's own credentials and BAA.
- Email notifications: non-PHI transactional notifications only (e.g., “you have a new urgent task”); no PHI is transmitted by email.
For the current subprocessor list with specific vendor names, email support@xylarhealth.com. We'll notify existing customers before adding any new subprocessor that processes PHI.
Data handling
- Minimum necessary. Xylar collects only what's needed to answer, route, triage, and follow up on patient communications.
- No training on your PHI. Patient data is not used to train general-purpose models.
- Retention and deletion. Recordings, transcripts, summaries, tasks, and messages are retained per your practice's configured policy and deleted on request at termination.
- Incident response. We follow a documented incident response process with customer notification commitments in the BAA.
Security review and questions
We're happy to complete security questionnaires and share our current documentation under NDA. Reach out at support@xylarhealth.com and we'll get you what you need.