Security and privacy

Privacy by Design

EVAL builds privacy into the platform from the ground up. Every feature, data flow, and architectural decision reflects a commitment to protecting sensitive health information. You benefit from a system designed to minimize data exposure and enforce compliance at every layer.

US Privacy

HIPAA Compliance

EVAL operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). You receive the protections required for handling protected health information (PHI), including administrative, technical, and physical safeguards.

Business Associate Agreement

You can execute a Business Associate Agreement (BAA) with EVAL to formalize the obligations and responsibilities for PHI protection. The BAA is available upon request and covers the data handling, breach notification, and security requirements mandated by HIPAA.

EU and UK Privacy

GDPR Compliance

EVAL acts as a Data Processor under the General Data Protection Regulation (GDPR). When you use EVAL to process personal data of EU or UK residents, the platform applies GDPR-compliant controls to protect data subject rights, including access, rectification, erasure, and portability.

EU-US Data Privacy Framework

EVAL participates in the EU-US Data Privacy Framework, providing a lawful mechanism for transferring personal data between the European Union and the United States. This framework ensures that your data receives adequate protection during cross-border transfers.

Security Frameworks and Standards

EVAL aligns with established security frameworks to maintain a robust security posture:

• FHIR (Fast Healthcare Interoperability Resources) -- You interact with health data through standardized FHIR APIs, ensuring interoperability and secure data exchange with external systems.
• OWASP -- EVAL follows Open Web Application Security Project guidelines to protect against common web application vulnerabilities.
• NIST -- The platform aligns with National Institute of Standards and Technology cybersecurity frameworks to structure its risk management and security controls.
• OAuth -- You authenticate and authorize through OAuth protocols, ensuring secure, token-based access to platform resources.
• PCI -- EVAL adheres to Payment Card Industry standards for any payment processing, protecting your financial data during transactions.

Encryption and Data Partitioning

EVAL encrypts your data both in transit and at rest. Transport Layer Security (TLS) protects data as it moves between your browser and EVAL servers. At rest, your data is encrypted using industry-standard algorithms.

Data partitioning separates your organization's data from other accounts at the infrastructure level. This isolation ensures that your patient records, evaluation results, and configuration data remain accessible only to authorized users within your account.

Organizational Controls

Privacy Officer

EVAL designates a Privacy Officer who oversees data protection practices, monitors compliance with applicable regulations, and serves as the point of contact for privacy-related inquiries.

Regular Training

EVAL team members receive regular training on data privacy, security best practices, and compliance obligations. This ongoing education ensures that every person handling your data understands their responsibilities.

Onboarding and Offboarding Protocols

EVAL enforces structured onboarding and offboarding protocols for its personnel. New team members receive security training and access credentials based on their role. Departing team members have their access revoked immediately, and any credentials or keys they held are rotated.