Nem

Trust

Security & Compliance

Last updated: May 30, 2026

How we think about security

Nem handles operational and clinical data for healthcare practices. We design our platform to meet the technical, administrative, and physical safeguards required under HIPAA, even where formal certification is still in progress. This page summarizes the current state of our security posture in plain language.

Data protection

  • Encryption at rest — all data is encrypted using AES-256 by our database provider.
  • Encryption in transit — TLS 1.2 or higher on all network connections.
  • Access control — role-based access control (RBAC) gates every API and every page.
  • Audit logging — significant actions (record access, billing edits, configuration changes) are logged with actor, timestamp, and target.
  • Secrets management — API keys and credentials are stored in environment variables managed by our hosting providers; never in source code.

HIPAA alignment

Nem implements HIPAA-aligned safeguards and is in the process of executing Business Associate Agreements (BAAs) with covered-entity customers and with our subprocessors. Until your BAA is signed, we recommend testing with synthetic data only.

  • Technical — encryption, access control, automatic session timeout, audit logs.
  • Administrative — internal access control policy, vendor risk policy, incident response plan, employee training (in progress).
  • Physical — handled by our cloud hosting providers (currently Supabase / AWS US regions). SOC 2 Type II reports available on request from those providers.

Subprocessors

We use a small number of trusted subprocessors. A current list is available on request to security@nem.ai. Categories include:

  • Cloud hosting and database (Supabase / AWS)
  • AI voice infrastructure (Retell AI)
  • Payment processing (Stripe)
  • Email delivery
  • Analytics (privacy-respecting only)

Incident response

We maintain a documented incident response process. In the event of a security incident affecting customer data, we will notify affected customers within 72 hours of confirmation, provide the facts as they are known, and continue to update until resolution.

Backups and continuity

  • Database backups are taken at least daily.
  • Backups are encrypted and retained for a rolling 30-day window.
  • Point-in-time recovery is available on production environments.

Reporting a vulnerability

If you believe you have found a security vulnerability in Nem, please email security@nem.ai. We commit to acknowledging your report within 2 business days and to working with you in good faith to resolve the issue.

What is not yet in place

We believe transparency about what we have not done is as important as listing what we have. As of this document's last update:

  • SOC 2 Type II is not yet completed.
  • HIPAA self-attestation is in progress; BAAs are being executed on a customer-by-customer basis.
  • ISO 27001 and HITRUST are out of scope for the current stage.
  • Pen testing is conducted internally; an external pen test is planned ahead of broader US rollout.

Contact

For security questions, BAA requests, or vendor questionnaires:
security@nem.ai · legal@nem.ai

Draft starting point. This document is a working draft prepared by the Nem team. It is not legal advice and must be reviewed by qualified counsel before production use. We will revise these documents periodically — current customers will be notified of material changes via email.