Built for HIPAA from the ground up. Not bolted on after.
Mandi was designed in partnership with dentists — by the son of one — a cybersecurity expert with enterprise defense-industry experience. Your patient data is treated the same way aerospace systems treat classified access — by construction, not by policy.
What's built in — not bolted on.
Tenant isolation by construction
Cross-tenant reads are structurally impossible at the database level. Each practice's data is strictly isolated.
Human-in-the-loop writes
AI proposes; staff confirms; nothing executes automatically. No rogue scripts modifying your schedule.
AI sandbox boundaries
The AI never touches the database directly. It only calls a whitelisted, tightly constrained set of validated tools.
Minimum-necessary to AI
Patient names are masked as "First L." Phone numbers, emails, and DOBs never reach the language model at all.
PHI-scrubbed logs
Aggressive filtering ensures patient data cannot accidentally land in application or server logs.
Tamper-evident audit trail
Every action and every read is logged, tenant-scoped, and securely retained for compliance auditing.
We sign a BAA before anything else.
Before any real patient data flows through Mandi, we execute a fully signed Business Associate Agreement with your practice. Building for HIPAA isn't a feature — it's the foundation. We won't cut corners on this, and we won't ask you to either.
What's coming before launch
- TLS end-to-end and encryption at rest across all datastores.
- SSO + MFA support, Role-Based Access Control (RBAC), and automatic session expiry.
- Fully executed BAAs with every underlying business associate/infrastructure provider.
- Documented risk analysis, written security policies, and designated Security Officer.
- Independent third-party HIPAA gap assessment before any real PHI flows.
Talk to our security team
Have specific compliance requirements or technical questions? We're happy to discuss our architecture in detail.
Email security@heymandi.ai