Compliance & Security

• Minimum-necessary access: patient records are visible only to the assigned provider, the clinic owner, the patient themself, and platform support. Other providers, staff, and sales reps in the same clinic cannot view PHI.
• Pseudonymous identifiers upstream: organization and sales dashboards show a short patient reference (e.g. PT-7F3A4B) instead of names or contact details.
• PHI access log: every view, list, download, print, and email of patient data is recorded in an append-only audit log with configurable retention (default 7 years) — used to satisfy a patient's right to an accounting of disclosures.
• Encryption: AES-256 at rest and TLS 1.2+ in transit across all data stores.
• Account hygiene: compromised-password screening enforced at sign-up and password change. Least-privilege service roles; production secrets isolated from the application bundle.
• Email of PHI: patient communications carry only the clinic name and a time-limited (24-hour) link to a private, access-controlled packet — no diagnosis, peptide, or dose in the email body.
• Backups and recovery: managed by the database provider with point-in-time recovery.

This Business Associate Agreement ("BAA") is entered between the platform operator ("Business Associate") and your organization ("Covered Entity") and governs the use and disclosure of Protected Health Information ("PHI") created or received on behalf of the Covered Entity.

1. Permitted Uses

Business Associate may use PHI only to perform the services described in the underlying services agreement, plus management, administration, and legal responsibilities of the Business Associate.

2. Safeguards

Business Associate will implement administrative, physical, and technical safeguards that reasonably protect PHI confidentiality, integrity, and availability, consistent with 45 CFR §§ 164.308, 164.310, 164.312.

3. Reporting

Business Associate will report any use or disclosure of PHI not provided for in this BAA, including breaches of unsecured PHI, without unreasonable delay and in no case later than 30 days after discovery.

4. Subcontractors

Business Associate will ensure any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to the same restrictions and conditions.

5. Termination

Upon termination, Business Associate will return or destroy all PHI received from the Covered Entity, or, if return/destruction is infeasible, extend the protections of this BAA to such PHI.

Organization owners can accept this BAA in Compliance settings.

• Access & portability: patients may request a copy of their data via their clinic.
• Deletion: patients may request deletion of their record subject to legal retention requirements.
• Audit: all access to PHI is logged and reviewable by the organization.

• Application served from an edge runtime; database hosted in a SOC 2 / HIPAA-eligible region.
• Payments processed by PCI-DSS Level 1 providers; the platform never stores card data.
• Vulnerability scanning and dependency auditing on every deploy.

Questions? Contact your organization's privacy officer or platform support. See also our Business Associate Agreement, Clinic Privacy Notice, and Data Processing Addendum.