Security

Your data security is our top priority

HealthPriceWatch handles sensitive hospital compliance data. We implement enterprise-grade security measures to protect your information and maintain the highest standards of data protection.

Encryption

All data is encrypted in transit with TLS 1.3 and at rest with AES-256 encryption. Your compliance data is always protected.

Access Controls

Role-based access controls ensure that only authorized users can access your compliance data. Multi-factor authentication available.

Audit Logs

Comprehensive audit trails track all access and modifications to your data, providing full transparency and accountability.

Infrastructure

Hosted on enterprise-grade cloud infrastructure with automated backups, redundancy, and 99.9% uptime SLA.

Compliance

SOC 2 Type II compliance in progress. Regular third-party security audits and penetration testing.

Monitoring

24/7 security monitoring with automated threat detection and incident response procedures.

Data Protection Practices

Data Encryption

  • TLS 1.3 for all data in transit
  • AES-256 encryption for data at rest
  • Encrypted database backups
  • Secure key management with automatic rotation

Access Management

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) support
  • Single sign-on (SSO) for enterprise customers
  • Automatic session timeout after inactivity
  • IP allowlisting available for enterprise plans

Infrastructure Security

  • Hosted on Vercel and Supabase enterprise infrastructure
  • Automated daily backups with point-in-time recovery
  • Geographic redundancy and failover
  • DDoS protection and rate limiting
  • Web application firewall (WAF)

Application Security

  • Secure development lifecycle practices
  • Automated dependency scanning and updates
  • Regular security vulnerability assessments
  • Code reviews and security testing
  • Input validation and sanitization

Privacy & Data Handling

We follow strict data handling policies:

  • Data is never shared with third parties without your consent
  • No sale of customer data
  • Minimal data collection - only what's necessary for the service
  • Data retention policies aligned with compliance requirements
  • Right to data export and deletion
  • Regular privacy impact assessments

Compliance & Certifications

SOC 2 Type II (In Progress)

We are actively pursuing SOC 2 Type II certification, expected completion Q2 2026. This validates our security controls for confidentiality, availability, and processing integrity.

HIPAA Compliance

While HealthPriceWatch does not handle Protected Health Information (PHI), we implement HIPAA-aligned security controls as a best practice.

GDPR & CCPA

We comply with GDPR and CCPA requirements, providing data portability, deletion rights, and transparent privacy practices.

Incident Response

We maintain a comprehensive incident response plan:

  • 24/7 security monitoring and alerting
  • Dedicated incident response team
  • Defined escalation procedures
  • Customer notification within 72 hours of confirmed breach
  • Post-incident analysis and remediation
  • Regular incident response drills and tabletop exercises

Employee Security

Our team follows strict security practices:

  • Background checks for all employees with data access
  • Regular security training and awareness programs
  • Signed confidentiality and data protection agreements
  • Principle of least privilege access
  • Secure device management and endpoint protection

Third-Party Vendors

We carefully vet all third-party services:

Our Trusted Partners:

  • Vercel: Application hosting and CDN (SOC 2 Type II certified)
  • Supabase: Database and authentication (SOC 2 Type II certified)
  • Stripe: Payment processing (PCI DSS Level 1 certified)
  • Resend: Transactional email delivery

All vendors undergo security assessment and sign data processing agreements.

Report a Security Issue

If you discover a security vulnerability, please report it responsibly to:

Email: security@healthpricewatch.com

We take all security reports seriously and will respond within 48 hours. Please do not publicly disclose issues until we've had a chance to address them.

Questions?

For questions about our security practices or to request our security documentation, contact security@healthpricewatch.com