About 15 minutes for a single-user trial. Sign up, import a CSV of contacts (or skip it), and you're in the deals board. Pro and Enterprise customers get a 60-minute onboarding call to wire up email, SMS, and calendar.

No. The 14-day trial requires only an email and a password. You'll see a billing prompt when the trial expires; no auto-charge.

Yes. /app/contacts/import accepts a CSV with a header row. We auto-detect first name, last name, email, phone, DOB, and lifecycle. Unknown columns can be mapped to custom properties.

An ADMIN invites teammates from /app/settings. We bill per active seat — disabling a teammate immediately stops billing for that seat.

Every paid plan includes a sandbox workspace seeded with realistic fake data. Push schema changes to the sandbox first, validate, then deploy to your production workspace.

Annual billing is 20% cheaper per seat. You're invoiced once at the start of the term; mid-term seat additions are pro-rated.

Upgrades take effect immediately and are pro-rated. Downgrades take effect at your next renewal — you keep the higher tier for the rest of the term you've already paid for.

Yes — federally qualified health centers (FQHCs), academic teaching practices, and registered 501(c)(3) clinics get 30% off any tier. Email sales@contactfollowup.com for verification.

Enterprise adds custom objects, hierarchical teams, field-level permissions, advanced lead scoring + forecasting, EHR integrations (Athena + Hint), OIDC SSO, service-account tokens, and unlimited contacts. Same per-seat price ($75) plus a flat $450/mo platform fee.

No. The CRM has email templates, sequences, and basic tracking built in. Marketing automation ($445/mo) is for teams running landing pages, multi-channel campaigns, and attribution.

HubSpot Sales Hub Pro is $90/seat/mo and Enterprise is $150/seat/mo. We're $75/seat/mo at both Pro and Enterprise (Enterprise adds a flat $450/mo platform fee). For a 10-seat practice on Enterprise, you save roughly $13,500/year vs HubSpot — and you get the patient portal, scheduling, and intake your CRM didn't include.

ContactFollowUp is HIPAA-aware: every PHI field is AES-256-GCM encrypted at rest, every write emits an immutable audit row, role-based access controls are enforced at the service layer, and we sign a BAA with every covered customer. A HIPAA-compliant deployment also requires customer-side practices — BAAs with downstream subprocessors, customer-managed keys, network restrictions, incident response. We document those obligations in the security page.

Every PHI field on Contact, Activity, Appointment, IntakeSubmission, Insurance, Secure Message, and Calendar Connection. Stored as *_enc TEXT columns holding AES-256-GCM ciphertext. A raw database dump is ciphertext only.

Yes — at all tiers, before any PHI lands. Our BAA covers the application layer. You're responsible for BAAs with downstream subprocessors (Anthropic, AWS, Microsoft, Postmark, Twilio, Athena, Hint, Stripe) — we surface a tenant-side BAA-management UI to track them.

CRM_DATA_KEY (32 bytes, AES-GCM) and CRM_INDEX_KEY (32 bytes, HMAC for blind indexes) live in your secrets store — Azure Key Vault, AWS Secrets Manager, or equivalent. If either key is missing, the app refuses to start.

Server-side Session rows keyed by an opaque cookie. Patient portal runs on a separate PortalSession table and cookie (hn_portal_session). Staff sessions expire after 8 hours of inactivity by default.

Yes — Microsoft and Google OIDC, available on Pro and Enterprise. We can wire up SAML for Enterprise customers with another IdP on request.

TOTP-based MFA with recovery codes is available on every tier. Enrollment lives in /app/settings; enforcement happens at login via short-lived MfaChallenge rows.

By default, US East (Azure East US 2 or AWS us-east-1). We can deploy you into a dedicated single-tenant database in any AWS or Azure region for an Enterprise contract.

Yes — every audit row is exportable as CSV or JSON, scoped to a date range. Append-only at the service layer; no service path updates or deletes one. Retention is 7 years by default.

We've moved a 4,000-contact practice with a full sequence library and 12 custom properties in 6 working days. Contacts, companies, deals, sequences, custom properties, lists, and historical activities all import.

Mostly. Our workflow primitives (TRIGGER · CONDITION · ACTION · DELAY · GOAL) are a near-exact superset of HubSpot's. We hand-translate any HubSpot-only branches (branch-of-branch, AI-driven actions) with a human reviewer and document them in the audit log.

Yes — we import message threads and re-encrypt the subjects and bodies on your keys. The original timestamps and sender IDs are preserved.

Yes — patients, providers, availability rules, appointment types, and historical bookings. Online-booking links you've already shared keep working through a forwarding layer for 90 days.

Yes — patients, providers, schedules, and intake-form definitions. Tebra's billing-side data stays in Tebra; we don't replace clearinghouse integrations.

On Pro and Enterprise, yes. A specialist runs a discovery call, builds a migration plan, runs the import on a sandbox workspace, and only flips DNS when you've signed off.

Athena and Hint are shipped today, bi-directional. We push contact updates outbound and pull patient + appointment updates inbound via the vendor's 'updated since' feed. Webhooks land at POST /api/ehr/webhooks/{ehr} with HMAC-verified signatures.

On the roadmap. The EhrClient port is built to drop in any FHIR or vendor-specific adapter; we're prioritizing based on customer demand. Talk to sales if you have a specific EHR.

Yes — by default, inbound EHR data only fills missing fields on the ContactFollowUp Contact. Existing local edits are preserved. Set EHR_INBOUND_OVERWRITE=1 if you want EHR data to win.

Yes — inbound appointment sync writes EhrAppointmentLink rows that show up on the staff weekly grid. Cancellations and reschedules propagate back to the EHR on the next outbound sync.

We're rolling out a read-first staff app and a patient-facing app this quarter, both backed by the same JSON endpoints documented in our public API. Until then, the web app is fully responsive on phones and tablets.

Yes — /portal/schedule is built mobile-first. Two-tap rebook is one of the most-used flows on phones; we A/B'd the flow against Solv's and matched their conversion rate.

The patient app caches upcoming appointments and intake forms for offline read access. Staff editing requires connectivity so audit-log writes don't drift.

Yes — every staff-side feature is backed by a REST endpoint, authenticated by either a staff cookie or a service-account token. Service-account tokens are scoped by role; we recommend a dedicated automation role with read-only access wherever possible.

Yes — contact, deal, appointment, and audit events fire to your registered webhook URLs with HMAC-SHA256 signatures over the body. Replay protection via a 5-minute timestamp window.

We support 'integration agents' that register with our reusable-agents framework — Python scripts that call the HTTP API as a service account. Every action lands in the audit log with actorKind='agent'. Three reference agents (patient-followup, new-patient-campaign, contact-enrichment) ship with the repo.

Not yet. REST plus webhooks covers every flow our customers have asked for; a GraphQL surface is on the roadmap if demand persists.

Service-account holders can browse the OpenAPI spec at /api/openapi.json once a workspace exists. We're working on a public versioned docs site — subscribe to the changelog for the launch.

Email support@contactfollowup.com from any tier. Pro adds in-app chat with a 4-hour business-day response SLA. Enterprise gets a dedicated customer success manager and a 1-hour business-day SLA on P1 issues.

Yes — 60 minutes of live onboarding on Pro and Enterprise, plus a video library and written runbooks for every clinical workflow.

On a confirmed PHI-impacting incident, we contact every affected tenant's Security Officer within 24 hours and provide a post-incident review within 72. The full posture is documented on our security page.

99.9% target on the multi-tenant cluster; 99.95% on single-tenant Enterprise. Live status at status.contactfollowup.com.

Patient data export is one click on every tier — JSON of every Contact, Activity, Appointment, and IntakeSubmission, with PHI decrypted at the boundary. We do not hold your data hostage.