Trust at Sully
Sully.ai is designed to meet the highest standards of security, privacy, and compliance, so healthcare organizations can deploy with confidence and focus on care.
CSF CERTIFIED
ISO 27001:2022
SOC 2 TYPE II
HIPAA COMPLIANT
How Sully earns trust
Security is core to our product, not an afterthought
We apply enterprise-grade security across every layer, from infrastructure to AI model governance, so every health system we serve can rely on us with confidence.
Multi-layered defenses protect data at rest and in transit. We conduct continuous vulnerability management and regular third-party penetration tests.
Patient data is handled with strict purpose limitation. We serve as a Business Associate under HIPAA and maintain comprehensive DPAs with every customer.
We publish clear guidance on AI model usage, LLM data retention policies, and how clinical accuracy is maintained and audited across all AI outputs.
HIPAA, HITRUST, SOC 2 Type II, and ISO 27001:2022 — with audit-ready documentation available to support your compliance review process.
AI Security
Responsible AI for clinical environments
Healthcare AI demands a higher standard. We've built AI governance frameworks that match the sensitivity of patient data and the accountability requirements of health systems.
No PHI in Model Training
Patient health information is never used to train AI models — ours or our LLM providers'. All processing is governed by strict enterprise data agreements.
AI Software Use Guidance Published
We publish clear documentation on how AI operates within our products, enabling compliance officers to evaluate our approach confidently.
Clinician-in-the-loop By Design
Our AI surfaces documentation, coding, and triage recommendations — but clinicians retain full authority. AI augments care, never replaces clinical judgment.
Continuous Accuracy Monitoring
We continuously audit AI output quality against clinical standards, with feedback mechanisms that improve accuracy over time.
Healthcare Standard
Meeting healthcare's highest standards
HIPAA Compliance
We operate as a HIPAA Business Associate, executing BAAs with all covered entity customers. Our program includes administrative, physical, and technical safeguards across all PHI handling processes.
HITRUST CSF
HITRUST certification — the gold standard in healthcare security — validates our comprehensive controls across privacy, security, and risk management.
SOC 2 Type II
Independently audited controls for security, availability, and confidentiality. Full reports available to qualified prospects under NDA.
ISO/IEC 27001:2022
Our Information Security Management System meets the latest ISO 27001 standard, demonstrating systematic risk management at enterprise scale.
Privacy Policy
A clear, transparent privacy policy covering data collection, use, and retention — with specific provisions for healthcare data and patient privacy.
We’re here and ready to answer all of your questions
Ready for the
future of healthcare?