Trust Center
Everything your procurement team asks for, in one place.
Lingfaro works with HIPAA-covered entities, federally funded programs, and state and county agencies. This page consolidates how we protect data, the frameworks we support, and the documentation we provide to your compliance and security teams on request.
How we protect data
Four commitments behind the platform.
Data minimization
Dispatch needs language, modality, time, and location. It does not need patient names, record numbers, or clinical content. Forms are designed to keep sensitive case content out of the platform during ordinary use.
Auditable documentation
Every confirmed session produces a signed, tamper-evident record (interpreter identity, credentials active at the time, modality, timestamps, and two-party confirmation) exportable as plain JSON and PDF.
Scoped access
Sessions, invoices, and payouts are scoped per role and per organization. Encryption is enforced in transit and at rest. Identity verification is required for every interpreter.
Transparent model
We don't sell platform data, run behavioral advertising, or gate basic security behind premium tiers. Revenue is a transparent platform fee on completed sessions.
Compliance & controls
Where we stand — stated honestly.
We only claim what we actually do. Controls that are live today are marked Active; work we're building toward is marked In progress; documentation we share with your team under NDA is marked On request. We do not represent any certification we have not earned.
Encryption in transit & at rest
ActiveTLS for all traffic; data encrypted at rest in the application data store.
Scoped role & organization access
ActiveSessions, invoices, and payouts are scoped per role and per organization; cross-tenant reads are denied at the data layer.
Tamper-evident session records
In progressEvery confirmed session produces a signed, hash-chained record. RFC-3161 trusted-timestamp integration is in progress.
Interpreter identity verification
ActiveIdentity and roster/credential status are verified for every interpreter before they can be dispatched.
HIPAA posture (BAA available)
ActiveWe sign Business Associate Agreements with covered entities and operate to the HIPAA Security Rule. The platform is designed so PHI stays out of dispatch.
Multi-factor authentication (TOTP)
In progressTOTP-based multi-factor authentication is required for new operator enrollments. Coverage of all privileged operator writes is in progress.
Security event logging
ActiveAuthentication events — login success and failure, MFA challenges, account lockouts, and password reset and change — are written to an append-only security event log with severity levels and an operator-visible audit trail. Access to the audit log is itself logged, and events are retained for two years by an automated daily retention sweeper.
Automated data retention
ActiveAn automated retention sweeper runs daily in production and enforces our retention policy: notifications are pruned after 90 days, PHI scan records after 12 months, and security events after 2 years. Each sweep is itself recorded in the security event log.
SOC 2 Type II
In progressNot yet certified. We are building toward a SOC 2 examination; we do not represent a completed report. Current status documentation is available on request.
Independent penetration testing
On requestMost recent summary shared with procurement and compliance teams under NDA on request.
The third-party services that may process data on our behalf are published in our public subprocessor registry .
Explore
Detailed pages.
Security
Our security posture, data handling, and what we provide to compliance teams.
Compliance
The federal and Minnesota language-access frameworks we map to, and what the platform produces for each.
Privacy Policy
What we collect, why, how long we keep it, and who we share it with.
Terms of Service
The rules governing use of the platform by clients and interpreters.
Documentation on request
What we provide to your compliance team.
We respond to procurement and compliance inquiries within one business day, including standard vendor security questionnaires (SIG, CAIQ, or your agency's template). On request, we provide:
- — Business Associate Agreement (BAA) template
- — Data Processing Addendum (DPA) template
- — Security architecture summary
- — Most recent penetration test summary
- — HIPAA Security Risk Assessment summary
- — SOC 2 status documentation
- — Incident response runbook with breach-notification timelines
- — Workforce HIPAA training program documentation
- — Cyber liability insurance certificate of coverage
You can preview and download our standard templates — BAA, DPA, MSA, per-session interpreter NDA, and ORR subcontract terms — before procurement starts. Each is a template for your own counsel to review.
Need a BAA, a DPA, or a security review?
Tell us what your procurement process requires and we'll get the right documents to the right people.
Contact us