The 26 questions every pharma client asks.

OVYN as a company is not yet SOC 2 certified — we're a small studio. The hosting providers we run on (Vercel, Anthropic, Twilio, Turso) all hold their own SOC 2 Type 2 certifications, so the underlying infrastructure is certified. We follow HITRUST-aligned data-handling practices. If Demo Therapeutics requires OVYN-level SOC 2 as a deal condition, we can initiate the formal Type 1 process within 30 days — typical 3–4 months to certification.

We're not a covered entity under HIPAA because no PHI enters our system. Patient data stays inside your Veeva environment. What we receive is de-identified aggregate analytics — minimum cohort of 25, no patient-level records, 14 aggregate fields max. So technically you don't need a BAA with us — there's no PHI for the BAA to govern. We're happy to sign a DPA and walk your privacy team through the architecture.

All US-based hosting (us-east-1). Vercel for the web app + APIs, Anthropic for AI inference, Twilio for messaging, Turso for operational database. No data leaves the US unless you specifically request EU regions for compliance reasons.

No. Anthropic's enterprise terms — which we operate under — explicitly prohibit using customer prompts or completions to train the foundation model. Same for any data you share with us. Your claims library, performance data, ISI variants, generated outputs — none of it goes into a training set. Ever. This is in our SOW.

Anthropic (AI inference), Vercel (hosting), Twilio (messaging), Turso (operational database). All US-based, all SOC 2 certified or pursuing. We disclose them up front, not on request. New subprocessors require 30 days advance notice and your right to object.

HITRUST-aligned, not certified. HITRUST certification takes about a year and costs ~$150K — for a studio our size it's overkill on day one. The 'aligned' framing means our data-handling controls map to HITRUST principles, which is what most boutique vendors say. The infrastructure underneath us is SOC 2 certified.

21 CFR Part 11 governs electronic records and signatures for FDA-regulated systems — primarily clinical and manufacturing. It applies to your Veeva instance because Veeva is your regulated content repository. OVYN sits beside it; the moment content leaves us and lands in PromoMats, your Part 11 controls take over. We don't claim Part 11 compliance ourselves because the regulated record-of-truth is Veeva.

Documented runbook with <4 hour notification SLA on confirmed breach. Quarterly tabletop exercises. Continuous SAST/DAST in CI. Annual third-party pen test scheduled for Q3 2026. Audit logs are immutable, append-only, exportable on request.

Yes. Standard CCPA/GDPR-compliant template available on request. Routes to trust@ephicacyhealth.com with typical <1 business day turnaround.

Three tiers. Tier 1 (Strategy + Creative) starts at $25K setup + $18K/month. Tier 2 (adds MLR + production) at $40K + $32K/month. Tier 3 (full content engine + performance loop) at $65K + $52K/month. We can quote precisely once we understand cycle volume — typically that scoping happens after the 48-hour pilot.

Roughly half. Industry benchmark for full DTC creative is ~$84K/quarter for a single indication. Tier 2 is ~$32K/month for the same throughput. The savings come from AI on the production layer, not from cutting strategy or compliance corners. We don't replace those agencies — we sit alongside, focused on production. Many of our prospects keep their full-service partner for strategy and use us for the content engine.

Six weeks from contract execution. Week 1 = scope and kickoff. Weeks 2–4 = configure your brand brain, load claims library + ISI + voice rules, build the Veeva connector in sandbox. Week 5 = validation with your team. Week 6 = first content moves through your MLR queue. Or skip the build and submit a brief on day one — we deliver 12 MLR-scored versions in 48 hours via the pilot.

Your data stays your data. We provide a full export — claims library, brand brain configuration, Veeva metadata, performance archive, audit log — and we don't retain any of it after offboarding. Standard 30-day wind-down clause in the contract. No early-termination penalty after Month 6.

Yes — and it's free for first engagement. Submit a brief at /pilot. We deliver 8–12 MLR-risk-scored versions in 48 hours, citation-tagged to public claim sources for your indication. Zero commitment after delivery. The work goes in your archive whether or not you sign.

OVYN focuses on AI content for pharma + health-and-wellness. Yes, we work across verticals — wellness, longevity, pharma, food and beverage — but each engagement is run as a dedicated team. Your engagement is staffed by people who know pharma, not a generalist studio.

Anthropic's Claude. Specifically Claude Sonnet 4.5 in production. We chose Anthropic for two reasons: their data-handling posture (no training on customer data, in writing), and Claude's long-context retrieval performance — important when the model has to read your entire claims library before producing a variant.

Two layers. First — RAG (retrieval-augmented generation): every claim has to be retrievable from your approved claims library, with citation. The model can't make up a stat. Second — the compliance rail validates every claim against the source. If the citation pointer doesn't resolve to a real, in-scope, current claim, the version gets flagged. And ultimately MLR is still the gate — we don't ship anything to channel without an MLR-approved record.

No, and you don't want one. Custom LLM training is a multi-million-dollar infrastructure project that gets stale the moment a new foundation model ships. What we do is configure a foundation model with your specific context — your claims library, ISI, brand voice, audience personas, FDA guardrails. Same model, different inputs. Industry term is RAG with brand-specific instructions. Effect from your perspective is 'your brand's AI'; cost and maintainability are dramatically better than a custom-trained model.

Standing instructions running on every generation. OPDP guidance encoded as rules — fair-balance proximity, comparative-claim restrictions, outcome-guarantee prohibitions, off-label scope, ISI requirements. Plus your brand-specific rules — voice, forbidden phrases, named-physician requirements. Each output gets a risk score. Above threshold, it's flagged with an auto-rewrite suggestion before MLR sees it. Doesn't replace MLR — it cleans up what would otherwise eat MLR's time.

Two layers catch it. First — every claim has to be retrievable from your approved claims library, with citation. Second — the compliance rail validates every claim against the source. If the citation pointer doesn't resolve, it's flagged. And ultimately MLR is still the gate. We make MLR faster; we don't bypass MLR.

Off-label is a hard rule. Every efficacy mention has to tie to FDA-approved indication only. The rail blocks generations that imply use beyond approved indications. If the engine produces something off-label-adjacent, it's flagged at the highest severity. Your medical reviewer is still the final read.

PromoMats for compliance archive (every approved variant lands there with metadata). Veeva CRM for HCP engagement signal (de-identified, aggregate, fed back into our performance loop). Veeva CRM Approved Email for the field rep template library. Three products, covering DTC content workflow end-to-end. We can extend to RIM if regulatory needs visibility.

OAuth 2.0 against your Veeva sandbox first. We map about 28 metadata fields to PromoMats — audience, indication, channels deployed, expiration. Validation cycle in your sandbox before any production data. Typical build window is 4–6 weeks during onboarding.

No. Veeva stays your system of record. We sit alongside it — our outputs flow into your existing PromoMats workflow as a structured submission package. Your MLR team uses Veeva exactly the way they do today.

Your media agency does — CMI, Real Chemistry, whoever's on retainer. We don't buy media. We hand off MLR-approved files + spec sheets through their preferred portal, then pull their raw performance data back via API so the same dashboard shows social + email + media-agency numbers in one view. The connection is hourly, so you don't get the report-discrepancy problem where your platform numbers and your agency numbers drift apart.

Social paid + organic (Meta, Instagram, TikTok, LinkedIn, Reddit). Email through Salesforce Marketing Cloud. Owned web through your CMS API (e.g., Compound DT-204.com). Programmatic, video paid, search go to your media agency.