Security at Xylar Health
Xylar Health handles protected health information (PHI) for independent mental-health practices. Security, privacy, and compliance are core product concerns, not afterthoughts. This page summarizes our current posture and what's in progress.
Xylar is not a crisis response service. In an emergency, patients should call or text 988, or 911 for a medical emergency.
HIPAA compliance
- BAA with every practice. We sign a Business Associate Agreement with every practice before go-live. PHI never flows without a BAA in place.
- HIPAA-eligible infrastructure. Xylar runs on AWS HIPAA-eligible services. All PHI is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Append-only audit trail. Every access to PHI is logged with user, action, resource, and timestamp. Logs are append-only and exportable on request.
- Tenant isolation. Each practice's data is logically isolated per account. Multi-location practices get per-location isolation under a single parent account.
- Least-privilege access. Engineers do not routinely access PHI. Production access is gated, auditable, and justified in writing.
42 CFR Part 2 (SUD treatment records)
Many mental-health practices also treat substance-use disorder (SUD) patients, whose records are governed by 42 CFR Part 2 in addition to HIPAA. Xylar is being designed to accommodate Part 2 requirements — including stricter consent handling, redisclosure constraints, and dedicated audit markers for Part 2 records. If your practice is subject to Part 2, tell us during onboarding and we'll walk through your specific requirements before go-live.
SOC 2
SOC 2 Type 1 in progress for 2026. We are actively working toward a SOC 2 Type 1 report and will pursue Type 2 once the Type 1 is complete. If your security review requires current evidence (policy documents, subprocessor list, questionnaire responses), we can share them under NDA — email support@xylarhealth.com.
Subprocessors
Xylar uses a small number of subprocessors, each of which has a BAA in place where PHI is in scope. The current list is available on request and is kept short by design. Categories:
- Cloud infrastructure — AWS (HIPAA-eligible services only for PHI).
- Telephony & SMS — HIPAA-eligible carrier partners for call capture and confirmation SMS.
- Transcription & language models — HIPAA-eligible providers with BAAs in place. PHI is not used for model training.
- Email notifications — non-PHI transactional notifications only (e.g., "you have a new urgent call"); no PHI is transmitted by email.
For the current subprocessor list with specific vendor names, email support@xylarhealth.com. We'll notify existing customers before adding any new subprocessor that processes PHI.
Data handling
- Minimum necessary. Xylar collects only what's needed to capture, transcribe, triage, and route calls.
- No training on your PHI. Patient data is not used to train general-purpose models.
- Retention and deletion. Recordings, transcripts, and summaries are retained per your practice's configured policy and deleted on request at termination.
- Incident response. We follow a documented incident response process with customer notification commitments in the BAA.
Security review and questions
We're happy to complete security questionnaires and share our current documentation under NDA. Reach out at support@xylarhealth.com and we'll get you what you need.