Compliance
Overview
Iris is designed for environments where compliance matters: healthcare, education, government, and enterprise. This page outlines how Iris aligns with key regulatory frameworks and security standards.
HIPAA-Aware Processing
All speech-to-text processing happens on-device. No audio is transmitted or stored on servers. No protected health information (PHI) is collected. Iris does not store, process, or transmit protected health information.
Business Associate Agreements (BAAs) are available for Enterprise+ customers upon request.
Section 508 / ADA
Iris is built to align with Section 508 of the Rehabilitation Act and ADA Title III. WCAG 2.2 AA is the baseline accessibility standard. Accessibility features include:
- Keyboard navigation
- Screen reader support
- High contrast
- Reduced motion
- Focus indicators
FERPA Awareness
For education deployments: Iris does not collect student records. On-device processing means no student data leaves the device. There is no third-party data sharing.
Data Security
- Encryption at rest and in transit
- Row-level security via Supabase
- OAuth-only authentication (Google, Microsoft) — no passwords stored
- Minimal data collection by design
Audit & Accountability
Conversation history is stored per-user with tier-based retention. There is no cross-user data access. Data deletion is available on request.
Contact
For compliance inquiries, BAA requests, or security documentation: admin@lonia.ai