Vendor Due Diligence · Confidential

superinsight.ai — Evaluation for the NDAS Report Pipeline

An independent read on whether superinsight.ai fits the practice's medical-records → review-ready report workflow, and how to proceed.

Prepared for Dr. Nicholas Suite & Stefan Suite, NDAS By Brian Pyatt · SpotCircuit Date June 29, 2026

Bottom line

superinsight.ai is a real, low-cost tool genuinely built for messy medical records — buying a proven engine for that heavy lifting is the right instinct. But for NDAS specifically, it fits the general job (attorney medical chronologies) more than the specific one (a physician's signed expert report in your exact format), two compliance items still need to be confirmed in writing before any records go in, and — importantly for our plan — it offers no way to build custom automation on top of it.

The smart strategy underneath this — buy the commodity record-ingestion engine, build the NDAS-specific report layer on top of it — is correct. It just points to a different class of vendor (one that exposes an API and signs a BAA). Our recommendation, the alternatives, and the exact items to confirm are below.

01What it is

superinsight.ai is AI medical-record review & chronology software built for law firms — personal injury, Social Security disability, veterans' disability, workers' comp, and medical malpractice. You upload records, pick a report type, and it produces a structured draft you can edit and export to PDF/Word. It is a drafting tool, not a search box, it processes real PHI (it is not a de-identification/anonymizer), and it states it is HIPAA-compliant and ISO 42001 certified. Sources: superinsight.ai, product docs, HIPAA notice.

02How it measures against NDAS's requirements

Each row is a requirement from the project brief, scored against what the public record shows.

NDAS requirementStatusWhat we found
Signs a HIPAA Business Associate Agreement (BAA) before any PHINot evidencedNo public page states they will sign a BAA naming themselves your Business Associate. This is the load-bearing item — confirm directly.
Records retained ≥ 7 years, never deletedConflictsTheir Terms allow user content to "be deleted at any time without prior notice," and deletion on account termination. Opposite of the 7-year requirement.
Security attestation (SOC 2 / equivalent)UnclearISO 42001 (an AI-governance standard) is claimed — that is not a security or healthcare certification. No SOC 2 disclosed publicly.
Processes real PHI (not de-identification)YesIts 2026 HIPAA notice confirms it creates, receives, and stores PHI — the right direction for this work.
Ingest 2,000–10,000 pages of messy scans / faxes / handwritingClaimedMarkets exactly this — "no page limit," handwriting, 6,000-page files. Credible positioning, but unbenchmarked vendor claims; verify with a pilot.
Output in your fixed report format & physician voicePartialOnly predefined templates (chronology / summary). No custom-template builder found — it would approximate, not reproduce, the NDAS report.
Per-fact source-page traceability + QA review (defensible under cross-examination)PartialPage-level citation is advertised, but per-statement, click-verifiable granularity and an edit audit trail are not documented. No human-review step.
Draft only — physician reviews & signsYesIt produces a draft; sign-off stays with you.
Build custom automations / workflows on top of itNoNo public API, SDK, or white-label program. It is a closed end-user app — there is nothing to build on.
Low costYes≈ $250/mo for 6 credits; ≈ $25–$160 per report; no per-page fees.

03What our research found

On the description that reached us

The product was described as "about four years old, built by one of the engineers behind Google's early semantic-search work." The public record doesn't match that: superinsight.ai was founded in 2023 (Techstars Austin) by Nelson Chu (computer-science background; previously Disney/Sony) and Luke Connally (a military veteran whose own VA-claims experience inspired the company) — we found no Google or semantic-search pedigree. "Semantic search" is a feature name on the product, not a founder's credential. Not a mark against the tool — but it means we should judge it on the product, not the story. Sources: About, Crunchbase, Techstars.

On maturity & longevity

It is an early-stage company — roughly $620K raised (pre-seed), about 8 employees, customers that are mostly solo and small firms, and no independent third-party reviews yet. It is real and shipping, but lightly resourced. This matters directly to NDAS: vendor longevity was Dr. Suite's stated reason for wanting 7-year control of the records, and a pre-seed startup holding years of expert-witness files is exactly that risk. Weigh it deliberately.

On compliance, before anything real is uploaded

It processes PHI (good) and appears to run its own models rather than sending records to outside AI vendors (a plus). But the BAA is not publicly evidenced, there is no SOC 2 on record, data-storage location is undisclosed, and there is no stated "we don't train on your data" commitment — notable given they run their own model fine-tuning. These are answerable questions; they just have to be answered in writing first. Sources: HIPAA notice, Terms, ISO-42001 post.

04Confirm these four things before any records go in

  1. An executed HIPAA BAA naming the practice — on which plan, and at what cost.
  2. The SOC 2 (or equivalent) security package and the list of named subprocessors + where data is stored.
  3. A written data-retention commitment that supports ≥ 7 years / never-delete (their current Terms do not).
  4. A written "we do not train on your data" and deletion-on-request commitment.

Until those exist, only synthetic or de-identified records should ever be used — including for any trial run.

05Recommended path

Keep the strategy, change the engine. Buy a proven record-ingestion / chronology engine for the heavy lifting, and build the NDAS-specific layer on top — the exact report format and physician voice, the source-traceability + QA review that has to hold up under cross-examination, the appointment-day exam integration, and the learning loop that adapts to Dr. Suite's edits. No off-the-shelf product does that part — it is the work that makes the report defensibly yours.

For that "buy the core + build on top" model, the better-fit engines are API-first and sign BAAs:

CaseMark

Legal + medical-chronology platform with a full workflow API (REST/SDK), a white-label option, and HIPAA BAA + SOC 2 Type II. Strongest "build on top" fit.

API BAA SOC 2

Wisedocs

AI medical-record review & summaries for legal / IME, with a public API and HIPAA + SOC 2 Type II.

API BAA-grade SOC 2

DigitalOwl

Enterprise medical-record review for legal & insurance; explicitly offers a BAA, SOC 2 Type II, and HIPAA. The most established option.

BAA SOC 2 Enterprise

superinsight.ai

Best used as a low-cost pilot to test off-the-shelf chronology quality on a de-identified sample — not as the platform to build on.

Pilot only No API