Protecting data at every layer.

Smile Advantage is built following HIPAA requirements and best practices to safeguard patient health information. We maintain Business Associate Agreements with our hosting provider, payment processor, and service providers.

All data is encrypted at rest and in transit using industry-standard methods. Database storage and backups are encrypted, and sensitive fields within the application receive additional layers of protection.

Payments are processed through a Level 1 PCI Compliant service provider. Credit card data does not touch or reside in Smile Advantage systems. All payment methods are securely tokenized by the processor, so only non-sensitive reference data is retained for display.

The Smile Advantage platform is protected by a web application firewall, bot detection, and DDoS mitigation. All connections are served over HTTPS, and traffic is monitored and filtered before it reaches the application.

Role-based permissions ensure staff only see what they need. Accounts require verification, and authentication is rate-limited to help prevent unauthorized access. Password policies are informed by current NIST guidelines.

Sessions automatically time out after a period of inactivity, and extended sessions require re-authentication. All session data is stored server-side, and session events are captured in an audit trail.

Important platform actions are logged, including but not limited to authentication, enrollments, payments, communications, and profile changes. Every record includes user attribution and timestamps, and records are retained in accordance with our data retention policies.

The platform uses a multi-tenant architecture with practice-level data boundaries. Patient and member data is scoped to each office, with authorization checks applied to every operation and data request.

Protected health information is not sent to third-party analytics services. Only non-identifying, office-level business metrics are tracked.

Our text messaging system is designed for TCPA compliance with automatic STOP keyword opt-out, and a detailed audit trail. Consent records are append-only and never modified.

All third-party vendors and subprocessors that handle sensitive data are vetted for security, privacy, and compliance standards before integration. Business Associate Agreements are required where applicable, and vendor relationships are reviewed on an ongoing basis.

Every feature goes through automated testing before deployment. Our development process includes code scanning for security vulnerabilities, static analysis, and pre-commit quality checks. In production, errors are captured and monitored in real time with centralized logging.