An intelligence layer that watches the system without ever seeing the patient.

The layer reads triggers, not patients.

Every patient touchpoint that lives inside an aesthetic practice — names, contact details, treatment notes, photographs, billing records — is governed by HIPAA and stored inside the practice management system. Sculptrix is built so that data never has to leave that system to do its job.

When the layer surfaces an action — a rebooking nudge, a slot-fill match, a follow-up reminder — it does so by passing an anonymized event trigger to the PMS, which executes the patient-facing action through its own existing communication channels. Sculptrix sees the operational pattern. The PMS still owns the patient.

The pattern eliminates a long chain of legal exposure. The patient relationship stays one-to-one with the practice. The data stays where regulators expect it to stay. And the layer can do its work — finding the gaps, surfacing the moments, orchestrating between systems — without ever becoming a custodian of the information that makes those gaps personal.

How the architecture holds.

Where the layer fits in the regulatory map.

Aesthetic practices that perform medical procedures — injectables, lasers, hormone therapy — are covered entities under HIPAA. Patient data stored in a PMS is protected health information. Any vendor that handles PHI on their behalf becomes a Business Associate, with the contractual and operational burden that follows.

Sculptrix is intentionally architected to not be a Business Associate. Because the layer never receives PHI — only anonymized event triggers from the PMS — it operates as a workflow intelligence service rather than a PHI custodian. The PMS retains the BAA relationship with the practice. Sculptrix sits one level above.

This is not a workaround. It's the architecture. The same property that makes the layer legally lighter to deploy is what makes it operationally honest: Sculptrix can only see what the PMS lets it see, and the PMS only lets it see what the practice has approved. The constraint is the moat.

Where we are. Where we're going.

Sculptrix is pre-SOC 2 today. We do not represent otherwise to prospects. The roadmap below is committed and dated to our revenue milestones — not to vague "soon" language.

If your practice is part of a private-equity-backed roll-up that requires a vendor-security review before the first contract, we'll meet you in that review with the architecture documentation, the trigger model spec, and a signed confidentiality agreement covering the operational metadata involved. The conversation moves quickly because there's less to argue about: the layer doesn't see the things a Business Associate would have to defend.

What we do regardless of certification.

The certifications take time. The security practices do not. Here is what is in production today, independent of the roadmap above:

• · TLS 1.3 in transit for every connection between Sculptrix infrastructure, the practice management system, and the customer-facing dashboard.
• · AES-256 at rest on the operational metadata store and all backup snapshots.
• · Multi-factor authentication required for all Sculptrix admin access. SSO available for customer accounts.
• · Least-privilege access controls on every internal service. No human ever has standing access to the production database.
• · Daily database backups with 30-day retention. Quarterly disaster-recovery rehearsals.
• · All inbound and outbound API requests logged for ninety days. Available to the practice on request.
• · Incident response policy with named owner, escalation path, and 72-hour customer-notification commitment.