Trust Center

Everything your procurement team asks for, in one place.

Lingfaro works with HIPAA-covered entities, federally funded programs, and state and county agencies. This page consolidates how we protect data, the frameworks we support, and the documentation we provide to your compliance and security teams on request.

How we protect data

Four commitments behind the platform.

Data minimization

Dispatch needs language, modality, time, and location. It does not need patient names, record numbers, or clinical content. Forms are designed to keep sensitive case content out of the platform during ordinary use.

Auditable documentation

Every confirmed session produces a signed, tamper-evident record (interpreter identity, credentials active at the time, modality, timestamps, and two-party confirmation) exportable as plain JSON and PDF.

Scoped access

Sessions, invoices, and payouts are scoped per role and per organization. Encryption is enforced in transit and at rest. Identity verification is required for every interpreter.

Transparent model

We don't sell platform data, run behavioral advertising, or gate basic security behind premium tiers. Revenue is a transparent platform fee on completed sessions.

Compliance & controls

Where we stand — stated honestly.

We only claim what we actually do. Controls that are live today are marked Active; work we're building toward is marked In progress; documentation we share with your team under NDA is marked On request. We do not represent any certification we have not earned.

  • Encryption in transit & at rest

    Active

    TLS for all traffic; data encrypted at rest in the application data store.

  • Scoped role & organization access

    Active

    Sessions, invoices, and payouts are scoped per role and per organization; cross-tenant reads are denied at the data layer.

  • Tamper-evident session records

    In progress

    Every confirmed session produces a signed, hash-chained record. RFC-3161 trusted-timestamp integration is in progress.

  • Interpreter identity verification

    Active

    Identity and roster/credential status are verified for every interpreter before they can be dispatched.

  • HIPAA posture (BAA available)

    Active

    We sign Business Associate Agreements with covered entities and operate to the HIPAA Security Rule. The platform is designed so PHI stays out of dispatch.

  • Multi-factor authentication (TOTP)

    In progress

    TOTP-based multi-factor authentication is required for new operator enrollments. Coverage of all privileged operator writes is in progress.

  • Security event logging

    Active

    Authentication events — login success and failure, MFA challenges, account lockouts, and password reset and change — are written to an append-only security event log with severity levels and an operator-visible audit trail. Access to the audit log is itself logged, and events are retained for two years by an automated daily retention sweeper.

  • Automated data retention

    Active

    An automated retention sweeper runs daily in production and enforces our retention policy: notifications are pruned after 90 days, PHI scan records after 12 months, and security events after 2 years. Each sweep is itself recorded in the security event log.

  • SOC 2 Type II

    In progress

    Not yet certified. We are building toward a SOC 2 examination; we do not represent a completed report. Current status documentation is available on request.

  • Independent penetration testing

    On request

    Most recent summary shared with procurement and compliance teams under NDA on request.

The third-party services that may process data on our behalf are published in our public subprocessor registry .

Documentation on request

What we provide to your compliance team.

We respond to procurement and compliance inquiries within one business day, including standard vendor security questionnaires (SIG, CAIQ, or your agency's template). On request, we provide:

  • Business Associate Agreement (BAA) template
  • Data Processing Addendum (DPA) template
  • Security architecture summary
  • Most recent penetration test summary
  • HIPAA Security Risk Assessment summary
  • SOC 2 status documentation
  • Incident response runbook with breach-notification timelines
  • Workforce HIPAA training program documentation
  • Cyber liability insurance certificate of coverage

You can preview and download our standard templates — BAA, DPA, MSA, per-session interpreter NDA, and ORR subcontract terms — before procurement starts. Each is a template for your own counsel to review.

Need a BAA, a DPA, or a security review?

Tell us what your procurement process requires and we'll get the right documents to the right people.

Contact us