Security & compliance

Your patients' health data belongs in a vault, not a payment processor.

CopperTab is designed to keep PHI away from payment processors. A signed BAA comes with every plan, from day one.

Talk to our team Request our BAA

Stays in CopperTab

Everything that makes a billing record medical.

Diagnosis, dose history, and clinical notes

Plan names, program details, visit history

Patient billing records and subscription logic

Invoice line items and receipt context

Covered under your BAA with CopperTab. AES-256 at rest, TLS in transit.

What Stripe sees

Only what's needed to process a charge.

amount$299.00

payment_methodtok_••••4242

description"Medical services"

No diagnosis, no plan details, no clinical context. Stripe sees a payment, not a patient record.

Healthcare payments work

“Echobind was always thinking 12 steps ahead and asked the right questions about how CNY Fertility was handling payments.”

Marc Thrower, Director of Corporate Accounting at CNY Fertility

Read the Stripe case study

What covers you, and where we stand.

We'll never overstate where we are. Here's an honest look at our compliance posture today.

Business Associate Agreement (BAA)Available day one

Included on every plan. No enterprise gate, no negotiation. You're covered the moment you go live.

HIPAA-aligned architectureBuilt in

Designed from the ground up to keep PHI out of payment payloads, descriptors, and Stripe records. AES-256 at rest, TLS in transit, audit logs throughout.

PCI DSS (via Stripe)Covered

Card data is securely stored on Stripe, so it never touches CopperTab servers. Stripe's certification covers card processing.

SOC 2 Type IStarted

We've begun our SOC 2 Type I certification. Ask us for the current state, and we'll tell you exactly where we are.

Bring us your hardest compliance questions.

We'll send the BAA, walk through the HIPAA architecture, and tell you where we stand on SOC 2. No pitch. No slides.

Book a 15-min call