Security & Data Handling

Effective July 9, 2026

1. Where things stand today

SomaIQ runs on demonstration and synthetic data only

No real patient data is stored or processed by SomaIQ today, and we do not accept any. Every demo runs on sample panels. The HIPAA safeguards and Business Associate Agreements (BAAs) required to handle real protected health information are being put in place before the first pilot touches a real chart. We would rather tell you this plainly than imply protections that are not yet in force.

2. Designed in from the start

Some protections are architectural: they exist because of how the product is built, not because of a policy layered on later.

  • Minimum necessary to the AI. The interpretation engine sees only what it needs to read a panel: age, sex, medications, supplements, conditions, and biomarker values. Names, dates of birth, addresses, and record numbers are never included in any AI prompt.
  • Nothing ships without practitioner approval. The AI drafts; the practitioner edits and approves. No interpretation reaches a patient until a licensed practitioner signs off, and the software never suggests medication doses.
  • Uploaded files are not used to train models.
  • Patient report links are private by design. Shared reports live behind unguessable tokens, are excluded from search engines, and invalid tokens return nothing.

3. Protections in place today

  • Encryption in transit (TLS) on every connection.
  • Encryption at rest for the database and file storage.
  • Row-level security scoping every record to its organization, so one practice can never read another’s data.
  • Lab files stored in private buckets, never publicly accessible.
  • An audit trail of data access and changes that records IDs and actions only, never health values.
  • An enforced Content-Security-Policy and hardened security headers on every page.
  • No analytics on the application or on patient reports. Consent-gated analytics run on the public marketing pages only.

4. What activates before the first real chart

The following are in progress and gate any pilot involving real patient data. Each one must be in force first:

  • A signed BAA with our AI provider (Anthropic) including zero data retention for clinical content.
  • HIPAA-eligible infrastructure tiers and BAAs with our database and hosting providers (Supabase and Vercel).
  • A signed BAA between SomaIQ and your practice.

If you are evaluating SomaIQ for your practice, we will walk you through exactly what is covered before anything real goes in. Ask us anything at hello@somaiq.ai.

5. Related documents

The Privacy Policy covers what we collect on this website, and the Terms of Service prohibit uploading real patient information until a BAA is signed with your practice.