COMPLIANCE

HIPAA Compliance Notice

How DDSVPN aligns with HIPAA requirements for dental practices.

Our HIPAA Posture

DDSVPN is designed with HIPAA compliance in mind. While we are not a Covered Entity and may qualify for the Conduit Exception, we voluntarily maintain HIPAA-aligned practices because our customers — dental practices — are Covered Entities.

Safeguards

Technical Safeguards

  • All tunnel traffic encrypted with ChaCha20-Poly1305 (WireGuard)
  • Authentication via cryptographic Magic Links (no passwords stored)
  • Session tokens are short-lived (1-hour JWT, 7-day refresh)
  • Private keys generated on-device, never transmitted to our servers
  • All API traffic encrypted with TLS 1.3
  • Database encrypted at rest (Supabase PostgreSQL with AES-256)

Administrative Safeguards

  • Role-based access control (user / admin / superadmin)
  • Audit logging for all authentication and provisioning events
  • Staff access revocation with immediate effect (peer removed from firewall)
  • BAA available upon request for all paying customers

Physical Safeguards

  • Infrastructure hosted on SOC 2 compliant providers (Fly.io, Supabase, Cloudflare)
  • No on-premise DDSVPN servers — SaaS architecture with US-based hosting
  • Data centers with physical access controls and monitoring

What DDSVPN Does NOT Do

  • We do NOT store, access, or process Protected Health Information
  • We do NOT have access to Patient Records, Charts, Images, or Billing Data
  • We do NOT monitor the content of VPN tunnel traffic
  • We are a connectivity layer — a secure pipe between your staff and your Office network

Questions about HIPAA compliance?

Email our compliance team: compliance@ddsvpn.com