HIPAA & Security

Last updated: May 9, 2026

Overview

Capture is operated by Capture, a US-based company. When customers who are HIPAA-covered entities or business associates use the service, we act as a Business Associate to those customers and execute a Business Associate Agreement (BAA) before any Protected Health Information (PHI) is processed. This page describes the technical, administrative, and physical safeguards we implement, the subprocessors we rely on, and how to engage with us on compliance.

Business Associate Agreement

Customers must have a signed BAA with Capture before submitting PHI. To start that conversation, email hello@joincapture.ai with your organization name and primary compliance contact.

Subprocessors with signed BAAs

  • Google Cloud (Firestore, Vertex AI, Cloud Run, Firebase Hosting, Identity Platform). Hosting, database, authentication, and AI inference. HIPAA BAA executed with Google Cloud.

We will provide our current subprocessor list on request and will notify customers under BAA before adding any new subprocessor that handles PHI.

Subprocessors that do not receive PHI

  • Stripe. Subscription billing and payments. Receives only billing email and Stripe identifiers.
  • Slack. Receives operational error metadata (request IDs, error types, route names) for engineering alerts. PHI is excluded from log payloads by our HIPAA-aware logger.

Technical safeguards (45 CFR § 164.312)

  • Access control. Per-user authentication via Firebase Identity Platform; user-scoped Firestore security rules enforce that documents are readable and writable only by their owner.
  • Encryption in transit. TLS 1.2+ on all client and server-to-server traffic. HSTS enabled with preload.
  • Encryption at rest. AES-256 at rest in Firestore and Cloud Storage, managed by Google Cloud.
  • HIPAA-aware logging. Centralized logging pipeline excludes clinical content. Error notifications carry request IDs and error class names only.
  • Session controls. Idle-session timeout (15 minutes) and absolute session timeout (8 hours).
  • AI inference. All large-language-model calls route through Google Cloud Vertex AI under our Google BAA. The public Generative Language API is not used for production traffic.
  • Right to delete. Authenticated users can delete their account and associated documents via the in-product control or by emailing hello@joincapture.ai.

Administrative safeguards

  • Least-privilege production access. Production access is limited to a small number of authorized personnel.
  • Subprocessor review. Subprocessors that handle PHI are added only when they have a HIPAA BAA in place with us, and we update our public subprocessor list when those relationships change.

Physical safeguards (45 CFR § 164.310)

Capture runs entirely on Google Cloud infrastructure. Physical security of the data centers (perimeter security, surveillance, hardware decommissioning) is the responsibility of Google Cloud and is covered under their HIPAA BAA. We do not operate self-hosted servers that process PHI.

Breach notification

In the event of a breach of unsecured PHI as defined under 45 CFR § 164.402, we will notify the affected covered entity without unreasonable delay and within 60 calendar days of discovery, consistent with 45 CFR § 164.410. Operational target: notification within 72 hours of confirmed breach. Notice will include the information required under § 164.410(c) to enable the covered entity to meet its own notification obligations.

Reporting a security issue

To report a vulnerability or suspected security incident, email hello@joincapture.ai. We acknowledge reports within two business days.

What we do not claim

Capture is not currently SOC 2 or HITRUST certified. We do not represent ourselves as a covered entity. Our compliance posture is described above and is not, on its own, a substitute for the customer’s own HIPAA risk assessment. We are happy to support customer security reviews; contact hello@joincapture.ai.

Questions? Email hello@joincapture.ai.