BastionGPT was built from the ground up to serve clinicians, therapists, and healthcare organizations who need the capabilities of generative AI without compromising patient privacy. Our platform operates within a rigorous security and compliance framework designed to align with the major healthcare data protection standards enforced around the world. For practices in the United States, that means BastionGPT functions as a HIPAA compliant AI assistant, with safeguards covering data encryption, access controls, audit logging, and Business Associate Agreements. Clinicians in Canada can rely on alignment with PIPEDA and provincial health regulations, while Australian providers benefit from adherence to the Privacy Act and Australian Privacy Principles.
This commitment to privacy is what distinguishes BastionGPT as a top choice for healthcare AI. Unlike general-purpose chatbots, our platform was engineered specifically for protected health information, which means sensitive inputs are never used to train underlying models and never exposed to third parties outside the compliance perimeter. Whether you're drafting clinical documentation, generating therapy notes, summarizing patient encounters, or using AI as a medical scribe, your data stays within an environment purpose-built for the confidentiality demands of modern medicine.
That said, healthcare regulation is not monolithic. Requirements differ meaningfully between countries, states, provinces, and even individual health authorities, and obligations may shift depending on the type of practice you run, the populations you serve, and the data categories you handle. A solo therapist running a private practice has different compliance considerations than a hospital IT administrator deploying AI clinical documentation tools across an enterprise. We encourage every organization to review its local legal landscape carefully before rolling out any new technology, including ours. Our guide to staying compliant across global frameworks is a good starting point for that review.
Where is my BastionGPT data stored?
BastionGPT is built for three regulatory markets: the United States, Canada, and Australia. About 80% of our customers are US-based, and data residency works a little differently in each country, so here is what to expect. For retention and deletion specifics, see where data is stored and how long we keep it.
Does US customer data stay in the United States?
Yes. Data for US customers stays entirely within the United States. Our infrastructure runs primarily on Microsoft Azure, with some limited processing on Google systems, all of it within the US for US customers.
Is Canadian customer data stored in Canada?
Yes, by default. Data for Canadian customers resides in our Canadian data centers. Cross-border data flows are the rare exception rather than the rule, and when one could apply (for example, an optional screen-share session with our prompt engineering team), we work through it with you first so you stay in control of what is shared. These flows are documented in our Canadian Data Protection Addendum and are designed to sit well within the expectations of Canadian privacy regulations.
Where is Australian customer data stored?
We maintain data residency agreements covering our Australian customers. If your privacy review needs the specifics for your organization, we are happy to share them.
Canadian provincial privacy laws
Alongside PIPEDA, Canadian customers regularly evaluate us under provincial statutes: PHIPA (Ontario), PIPA (British Columbia and Alberta), and FOIPPA for public bodies in BC. BastionGPT supports these evaluations: Canadian customers' data resides in Canadian data centers by default under our Canadian Data Protection Addendum, and we provide documentation for your privacy impact assessments. Public bodies with cross-border data restrictions should contact us so we can walk through the specifics with your privacy officer.
United States: beyond HIPAA
For substance use disorder programs subject to 42 CFR Part 2, BastionGPT's controls (no training on your data, retention limits, access restrictions) are designed to support Part 2 obligations; contact us for documentation for your compliance file. For state-specific AI and privacy laws, our legal team tracks the landscape and can answer questions about your state.
To support that due diligence, BastionGPT publishes detailed documentation covering our security architecture, data handling practices, subprocessor relationships, and regional compliance posture. Compliance officers, privacy leads, and IT teams are welcome to request these materials as part of a standard vendor assessment. Our compliance team is also available to answer specific questions about how the platform maps to the regulations that apply to your jurisdiction and specialty, whether that involves signing a BAA, completing a privacy impact assessment, or clarifying data residency options.
If you're evaluating healthcare AI platforms and need to confirm fit for your region, reach out to our support team directly. We'll help you gather the documentation your compliance review requires so you can adopt AI for medical documentation, transcription, and clinical workflows with confidence.
