HiBoop Trust Center - Security, Privacy & Compliance
The HiBoop Trust Center provides detailed information on our commitment to security, privacy, and clinical validation. As a healthcare technology provider, we adhere to the highest standards of data protection, including HIPAA, PIPEDA, and GDPR compliance. We understand that the security of patient data is paramount to your clinical practice.
Our platform uses AES-256 encryption for data at rest and TLS 1.3 for data in transit. We conduct regular third-party security audits and maintain a detailed compliance program to ensure the integrity and confidentiality of protected health information (PHI). By using Google Cloud Platform's secure infrastructure, we provide a secure and reliable environment for digital measurement-based care. Our security framework is designed to meet the rigorous demands of hospitals, large health systems, and private practices alike.
Your Patient Data,
Protected by Design.
Security & Compliance.
Built with healthcare data protection standards in mind, designed to support HIPAA, PIPEDA, ICD-11 coding, and other regulatory requirements.
Data Standards.
HiBoop is built on open HL7 and FHIR R4 (Fast Healthcare Interoperability Resources) standards, the same foundation used by Epic, Cerner, and every major EHR on the market. Data residency, PIPEDA, and GDPR controls are honored end-to-end. Your data is never locked in a proprietary format.
FHIR R4 is the global standard for exchanging healthcare information electronically, maintained by HL7 International and required by ONC under the 21st Century Cures Act for HIPAA-covered entities. Building on FHIR means assessment results, scores, and outcome data can flow directly into any compliant EHR, today or in the future, without custom middleware.
Fast Healthcare Interoperability Resources
Assessment results and outcome data are structured as FHIR resources, exportable and consumable by any FHIR-compliant system. No translation layer needed.
Works with your existing stack
Export scored assessment data in standard formats. HiBoop works alongside your existing EHR, no replacement or complex integration required.
Your data, your formats
Full data export in CSV, HL7, and FHIR formats at no extra cost. You own your data, always. No lock-in, no ransom exports, no proprietary formats.
Defense-in-Depth.
Multi-layered security strategy protecting every data vector. Hardened at the infrastructure, application, and clinical levels.
Encryption Everywhere
AES-256 at rest and TLS 1.3 in transit with automated key rotation.
Network Isolation
Compute instances run in private VPCs, isolated from the public internet.
Vulnerability Management
Daily scanner cycles and annual 3rd-party penetration testing.
Application Integrity.
Security features designed for clinical precision. Protection without friction.
Enforced Multi-Factor
Standard across all clinical accounts. Support for TOTP and hardware security keys.
Immutable Trails
Every view and export is cryptographically logged. Complete visibility into data access.
Granular Controls
Strict Role-Based Access. Personnel only see PHI relevant to their clinical authorization.
Smart Timeouts
Configurable idle timeouts protect data on shared clinical workstations automatically.
Employee Device Security
DrSprinto scans all employee computers for active malware protection and compliance standards.
Data Encryption
AES-256 encryption for data at rest. TLS 1.3 for all data in transit with perfect forward secrecy.
Infrastructure Partners.
Every vendor undergoes rigorous security review. Data residency is strictly enforced.
Google Cloud
InfrastructureApplication hosting & database
Cloudflare
SecurityWAF, DNS & DDoS protection
Sprinto
ComplianceCompliance automation
Stripe
PaymentsPayment processing
HubSpot
CRMRelationship management
System Status.
Checking…
Checking…
Responsible Disclosure.
We welcome the contribution of security researchers. If you identify a vulnerability, report it promptly to our protocol response team.
In Scope
- Auth/Authorization bypass
- Injection vulnerabilities (SQL, XSS, SSRF)
- PHI or patient data exposure
- Broken access controls / IDOR
- Session management flaws
- Audit log bypass or tampering
- Encryption weaknesses (data at rest / in transit)
Out of Scope
- Social Engineering / Phishing
- DDoS / volumetric attacks
- Scanner-generated reports without a verified finding
- Testing against HiBoop staff or employees personally
- Destructive testing (deleting, modifying, or exfiltrating production data
Need a Security Review?
Our security team is available to answer detailed questions, complete vendor questionnaires, and provide necessary compliance artifacts.
Frequently Asked Questions
Is HiBoop HIPAA compliant?
Yes. HiBoop adheres to HIPAA Privacy and Breach Notification Rules. Business Associate Agreements (BAAs) are available for all US enterprise clients. Our platform implements technical safeguards including encryption, access controls, and audit logging to protect Protected Health Information (PHI).
Does HiBoop comply with Canadian privacy laws?
Yes. HiBoop is fully compliant with PIPEDA (Personal Information Protection and Electronic Documents Act) and Canadian federal and provincial privacy laws. For Canadian clients, data residency is strictly enforced on Canadian soil with infrastructure hosted in Google Cloud Canada regions.
What security certifications does HiBoop have?
HiBoop is HIPAA compliant, PIPEDA compliant, and GDPR ready. We conduct annual third-party penetration testing and daily vulnerability scanning to maintain our security posture. We also undergo regular third-party security audits to verify our controls.
Is HiBoop GDPR ready for international clients?
Yes. HiBoop supports GDPR Privacy by Design principles with full support for subject rights including data access, erasure, and portability. Our platform architecture enables compliance with EU data protection requirements for international deployments.
How is patient data encrypted?
All patient data is encrypted using AES-256 encryption at rest and TLS 1.3 in transit. Encryption keys are automatically rotated, and our encryption implementation follows industry best practices for healthcare data protection.
What access controls protect patient data?
HiBoop implements defense-in-depth security including: enforced multi-factor authentication (MFA) with support for TOTP and hardware security keys, strict role-based access control (RBAC) ensuring personnel only see PHI relevant to their clinical authorization, network isolation with compute instances in private VPCs, and configurable idle timeouts for shared clinical workstations.
Are there audit logs for data access?
Yes. Every view and export of patient data is cryptographically logged in immutable audit trails. This provides complete visibility into data access patterns and supports compliance requirements for access monitoring and breach investigation.
Where is patient data stored and who are your infrastructure partners?
All patient data is stored on Google Cloud infrastructure with strict data residency enforcement (Canada/US regions). We work with vetted subprocessors who have executed Data Processing Agreements (DPAs) and Business Associate Agreements (BAAs). Key partners include Google Cloud (infrastructure), Cloudflare (security/WAF), Sprinto (compliance automation), and Stripe (payments). No patient data is ever sold to third parties.
How can I report a security vulnerability?
We welcome responsible disclosure from security researchers. If you identify a vulnerability, please report it promptly via our contact form with subject line "Security Disclosure". In-scope vulnerabilities include authentication/authorization bypass, injection flaws, PHI or patient data exposure, broken access controls, session management weaknesses, audit log bypass, and encryption issues, all critical to our HIPAA, PIPEDA, and GDPR obligations. Out of scope: social engineering, DDoS attacks, unverified scanner reports, and destructive testing against production data.
Can I request a security review or compliance documentation?
Yes. Our security team is available to answer detailed questions, complete vendor security questionnaires, and provide necessary compliance artifacts including BAAs, security audit reports, and compliance documentation. Reach out via our contact form for security review requests.