Sully.ai is designed to meet the highest standards of security, privacy, and compliance, so healthcare organizations can deploy with confidence and focus on delivering care.
Trusted by healthcare organizations with over 100,000 providers
Multi-layered protection
Defense in depth across every layer of the stack. Data encrypted at rest with AES-256 and in transit with TLS 1.3. Access controlled by zero-trust architecture with MFA enforced across all systems.
Built-in data autonomy
Your patient data is yours. Sully operates as a HIPAA Business Associate, executing BAAs with every covered entity. PHI is never shared, sold, or used for model improvement without explicit consent.
Healthcare-ready infrastructure
Deployed on HIPAA-eligible AWS infrastructure with network isolation, WAF protection, and real-time threat monitoring. Designed for the reliability and compliance healthcare demands.
Compliance at Every Layer
Meeting healthcare's highest standards
HIPAA Compliance
We operate as a HIPAA Business Associate, executing BAAs with all covered entity customers. Our program includes systemic, physical, and technical safeguards across all PHI handling processes.
HITRUST CSF
HITRUST certification — the gold standard in healthcare security — validates our comprehensive controls across privacy, security, and risk management.
ISO 27001:2022
Our Information Security Management System meets the latest ISO 27001 standard, demonstrating systematic risk management at enterprise scale.
Privacy Policy
A clear, transparent privacy policy covering data collection, use, and retention — with specific provisions for healthcare data and patient privacy.
Responsible AI for healthcare environments
No PHI in Model Training
Patient health information is never used to train AI models.
AI Usage Guidance Published
We publish clear documentation on how AI operates within our products.
Clinician-in-the-loop By Design
Our AI surfaces documentation, coding, and triage recommendations while clinicians retaining full authority.
Continuous Accuracy Monitoring
We continuously audit AI output quality against clinical standards.
Your EHR / Clinical Systems
Epic
Oracle Health
Athena
+40 More
Encrypted API Layer
TLS 1.3
Auth Tokens
Client-Scoped Data
Sully AI Processing Environment
Isolated Compute
AES-256
Ephemeral Sessions
LLM Provider
Zero-Retention
Enterprise API
No PHI Training
AI Output → Clinician Review
Surfaced in EHR
Clinician Final Authority
AES-256 Encryption
End-to-End Encryption
AWS KMS
Auto-Rotating Keys
Network Isolation
VPC Isolation
WAF
DDOS Mitigation
High Availability
99.9% Uptime
Multi-Region Redundancy
Audit Logging
Immutable Logs
Every Data Access Logged
Pen Testing
Annual Independent Tests
CVE Tracking
Backup & Recovery
Daily Backups
Defined RTO/RPO Targets
Designed for safety and scalability
HIPAA-Eligible Cloud Infrastructure
Deployed on AWS HIPAA-eligible services with signed BAAs for all in-scope infrastructure components.
Annual Penetration Testing
Independent third-party pen tests annually, plus continuous vulnerability scanning.
Immutable Audit Logging
All data access events logged in tamper-resistant, customer-reviewable audit trails.
HIPAA-Aligned Incident Response
Formal breach notification procedures with HIPAA-mandated notification timelines and post-incident reports.
FAQ
Do you sign a BAA?
Is patient data used to train your AI models?
Where is customer data stored?
How do you handle a security incident?
Do you conduct penetration testing?
What is your vendor / sub-processor list?
