Guides
Back to EVAL Apps
Start typing to search…

Security & Privacy Reference Guide

We developed the EVAL platform with privacy and security in mind. Because Citizen Developers may be anywhere in the world, we use globally recognized privacy principles, standards, and best practice frameworks to ensure the protection of personal data handled by our platform.

Privacy

The EVAL platform is designed with privacy in mind and so collects and uses personal information only as proportionate and necessary. Privacy by design principles standardized in EVAL’s Privacy by Design Code apply to all program, system, and development work. We engage service providers who adhere to acceptable privacy standards, which we evaluate during our due diligence process.

For our full privacy notice, navigate to the Privacy Policy page.

EVAL provides a service to Citizen Developers, who are subject to privacy and data protection obligations based on their location. EVAL collects and uses Citizen Developer personal information on the legal basis of consent. Patient personal information, including personal health information, may be processed on a different legal basis depending on the jurisdiction and laws applicable to Citizen Developers’ activities. Citizen Developers are responsible for
evaluating the EVAL platform and ensuring their use of it meets the privacy and security standards, obligations, and commitments that apply to them.

US Privacy

EVAL adheres to the compliance standards for the US Health Insurance Portability and Accountability Act (“HIPAA”), which protects Personal Health Information (“PHI”) in the US health system. Under this framework, EVAL is a Business Associate delivering services to Covered Entities. If you need us to sign a Business Associate Agreement, please contact support@eval.health].

Where HIPAA does not apply, we comply with state privacy law, including breach notification requirements.

EU and UK Privacy

The EVAL platform has been designed to support compliance with EU and UK and EU data protection laws. EVAL is a data processor delivering services to Citizen Developers, who are data controllers. As a US company, we participate in the EU-US Data Privacy Framework.

Security

EVAL operates to the following sector-specific standards and frameworks:

  • FHIR (Fast Healthcare Interoperability Resources) to enable the exchange of healthcare-related information
  • OWASP (Open Web Application Security Project) for web application security
  • NIST (National Institute of Standards and Technology) to reduce cybersecurity risks and improve resilience
  • OAuth (Open standard for authorization) for access delegation
  • PCI Compliance security standards for processing credit card transactions

EVAL’s security controls include encryption, data partitioning [complete once the security control table is complete.

Organizational Controls

EVAL has a designated Privacy Officer responsible for our privacy management program. We train our team regularly on our privacy and security policies which staff are required to accept on an annual basis. Our security processes include strict staff onboarding and off-boarding protocols.

For more information about our security practices, please contact support@eval.health.

Updated 3 months ago