Is Hedy SOC 2 compliant?

Yes. Hedy completed an independent SOC 2 Type I audit of its security controls in April 2026.

Is Hedy HIPAA compliant?

Yes. Hedy was independently assessed for how it handles health information as a Business Associate, covering the HIPAA Security and Breach Notification rules.

Does Hedy sign a Business Associate Agreement (BAA)?

Yes. Hedy can sign a Business Associate Agreement with organizations that require one before sharing protected health information.

What does Hedy's SOC 2 report cover?

It covers Hedy's security controls, assessed against the AICPA Trust Services Criteria for Security.

How do I get Hedy's SOC 2 or HIPAA report?

Both reports are available to customers and prospects through the Hedy Trust Center at trust.hedy.ai, or by emailing security@hedy.bot.

Is Hedy GDPR compliant?

Yes. Hedy provides a full processor-side GDPR framework, including a Data Processing Addendum, Standard Contractual Clauses, a Transfer Impact Assessment, and documented Technical and Organizational Measures, all available in the Trust Center.

Does Hedy offer EU data residency?

Yes. New users can choose European storage and AI processing during onboarding, keeping conversation data on EU servers.

Julian Pscheid · May 29, 2026

Hedy Is Now SOC 2 Type I and HIPAA Compliant

Q: Does Hedy use my conversations to train AI?

No. Cloud AI analysis is transient and is never stored or used to train models, and Hedy never sells your data.

Hedy completed independent SOC 2 Type I and HIPAA audits in April 2026. Here is what that means for how your data is protected.

Glowing digital security shield with a checkmark, representing Hedy's completed SOC 2 Type I and HIPAA audits

Hedy is now SOC 2 Type I and HIPAA compliant. We put Hedy through independent SOC 2 Type I and HIPAA audits, both completed in April 2026. For a privacy-first product built by a small team, meeting the security bar that enterprise buyers expect from much larger vendors is a milestone worth marking.

What did Hedy complete?

Two independent audits:

SOC 2 Type I: an independent review of Hedy’s security controls.
HIPAA: an independent assessment of how Hedy handles health information as a Business Associate.

Both are independent confirmation of the privacy and security work Hedy is already built on.

What does this mean for you?

Day to day, what you rely on doesn’t change. Speech recognition runs on your device by default, and AI analysis can too. Your audio never leaves your control unless you choose to share it, cloud AI analysis stays transient and is never stored or used to train models, and we never sell your data.

What’s new is the proof. If your security review asks for SOC 2, the report is ready. If your organization needs a Business Associate Agreement before using Hedy, we can sign one.

What else protects your data?

This sits alongside everything Hedy already does to protect you: a full GDPR framework, EU data residency, and on-device speech recognition. The SOC 2 Type I and HIPAA reports are available to customers and prospects through our Trust Center, or reach the security team at security@hedy.bot. You can see it all on our security page.

Your most sensitive conversations deserve real protection. Now that protection is independently verified.

About the author

Julian Pscheid is the founder and CEO of Hedy AI, an AI visit assistant used by tens of thousands of patients, caregivers, and professionals worldwide. He writes about how AI is changing the way people prepare for, capture, and understand important conversations.

Back to News Download as PDF

Hedy Is Now SOC 2 Type I and HIPAA Compliant

What did Hedy complete?

What does this mean for you?

What else protects your data?

Your next meeting is your best one yet