Enterprise-grade trust,
built for regulated industries
Lippy handles real customer conversations for healthcare, home services, and other businesses where security isn't optional. Here's exactly how we protect your data and your callers.
How we protect your data
Security is engineered into the platform, not bolted on. These are the controls in place today.
HIPAA-compliant healthcare offering
For healthcare customers, Lippy operates a HIPAA-compliant offering. We sign a Business Associate Agreement (BAA) and run protected health information (PHI) on a dedicated, separately verified Firebase environment, isolated from our standard workloads. PHI is only handled once a BAA is executed and HIPAA features are enabled.
Encryption in transit and at rest
All traffic to and from Lippy is encrypted in transit over TLS. Customer data is encrypted at rest by our cloud infrastructure providers (AWS and Google Cloud). Third-party integration credentials are stored encrypted.
Access controls and least privilege
Access to customer data is scoped by organization and role (owner, admin, member, viewer), enforced server-side. Internal access follows least-privilege principles, with multi-factor authentication required for administrative accounts and infrastructure access.
AI transparency
Callers are told they're speaking with an AI assistant. We believe disclosure is the right default for conversational AI, and we build our agents to be upfront that the voice on the line is Lippy's AI.
Data handling and retention
Customer data is logically separated by organization. Data is retained to operate the service and is deleted in line with our agreements and applicable retention obligations. Our subprocessors are vetted and published, and a Data Processing Agreement is available.
Credential and secret management
Application secrets and integration tokens are managed through a centralized secrets store with rotation procedures, never committed to source control. Production access is gated and audited.
Compliance status
We're transparent about where we are. We only claim what's true today.
Available to healthcare customers under an executed BAA with HIPAA features enabled.
On our roadmap. We are working toward SOC 2 Type II with our compliance program — not yet certified.
Infrastructure, dependency, and vulnerability monitoring run continuously across our cloud accounts.
A Data Processing Agreement and a current list of subprocessors are publicly available.
SOC 2 Type II is in progress and on our roadmap — Lippy is not yet SOC 2 certified. We'll update this page as our certification status changes.
Policies & documentation
Have a security or compliance question?
Our team is happy to walk through our architecture, sign a BAA, or answer your security questionnaire.