hipafy ← Back to hipafy.com
Security

How we protect
your practice data

Hipafy is built by a compliance company. We hold ourselves to the same standards we help our customers meet. This page explains exactly what we do to protect your data.

Encryption in transit and at rest
No patient PHI stored
GDPR compliant — EU based
72-hour breach notification
Our core security principle
The most secure data is the data we never touch

Hipafy is designed with a deliberate architectural choice: we do not store patient PHI. Our platform collects operational information about your practice — your EHR vendor, staff count, communication methods — not patient names, records, diagnoses, or clinical notes. This is a security design decision, not a limitation.

If we never hold patient data, we can never lose it, leak it, or be compelled to disclose it. This is the most reliable security guarantee we can offer healthcare practices: the attack surface simply does not exist. The compliance documentation we generate is based on your practice profile, not your patient database.

For the operational practice data we do store — assessment answers, account information, training records — we apply the technical controls described on this page.

Encryption
Data protected in transit and at rest
TLS 1.2+ for all data in transit
Every connection between your browser and Hipafy’s servers is encrypted using Transport Layer Security (TLS) 1.2 or higher. We do not support older, insecure protocols (SSLv3, TLS 1.0, TLS 1.1).
AES-256 encryption at rest
All data stored in Hipafy’s databases and file storage is encrypted at rest using AES-256. Encryption keys are managed separately from the data they protect.
HTTPS enforced — HSTS enabled
HTTP Strict Transport Security (HSTS) is enabled on hipafy.com and all subdomains. Browsers are instructed to always use HTTPS, preventing protocol downgrade attacks.
Passwords hashed with bcrypt
User passwords are never stored in plaintext. We use bcrypt with a sufficient cost factor, meaning even if our database were compromised, passwords would be computationally infeasible to recover.
Access controls
Least-privilege access to your data
Role-based access control
Access to systems and data is granted on a need-to-know basis. Internal staff access is tiered — no individual has access to more data than their role requires.
Multi-factor authentication required internally
All Hipafy staff with access to production systems are required to use multi-factor authentication (MFA). We strongly recommend MFA for customer accounts too.
Audit logging
Access to systems containing customer data is logged. Logs are retained for a minimum of 12 months and are protected against tampering.
Automated session management
User sessions time out after a period of inactivity. Session tokens are invalidated on logout and rotated on privilege changes.
Infrastructure
Where your data lives
EU-based hosting preference
Hipafy prioritizes EU-based data centers for primary storage to minimize cross-border transfer complexity under GDPR.
Automated backups
Customer data is backed up daily. Backups are encrypted, stored separately from primary systems, and tested regularly for recoverability.
DDoS protection
Infrastructure-level DDoS mitigation is in place to protect platform availability.
Operational security
Policies and procedures
Annual security risk assessments
Hipafy conducts formal security risk assessments at least annually, consistent with the methodology we recommend to our customers.
Documented incident response
A formal incident response plan is maintained and tested. Key steps and contacts are documented and accessible to relevant personnel.
Staff security training
All Hipafy staff complete annual HIPAA and security awareness training — the same training we provide to our customers.
Payment security
We never touch your card details

Hipafy uses Stripe for all payment processing. Stripe is a PCI DSS Level 1 certified payment processor — the highest level of certification available. When you enter payment details on Hipafy, they go directly to Stripe’s systems over an encrypted connection. Hipafy’s servers never see, receive, or store your full card number, CVV, or bank account details.

What Hipafy receives from Stripe: a tokenized reference to your payment method, the last four digits of your card, the card type, and your billing name and address for invoicing. This is sufficient for subscription management and completely isolated from your sensitive payment credentials.

Third-party and sub-processor security
How we vet the vendors we use

Hipafy uses a limited number of third-party service providers. Before engaging any provider that processes customer data, we evaluate their:

Security certifications
SOC 2, ISO 27001, or equivalent
Data processing agreement
GDPR-compliant DPA in place
Data transfer mechanisms
SCCs or adequacy decision
Encryption standards
TLS in transit, AES at rest
Breach notification
Contractual notification obligation
Access limitation
Minimum necessary data access only

All sub-processors are listed in our Privacy Policy and are contractually bound to maintain the same level of data protection as Hipafy. We review sub-processor security posture at least annually.

Breach notification
What we do if something goes wrong

In the event of a security incident that involves your data, Hipafy follows a documented incident response procedure:

Immediate containment
As soon as an incident is detected, we isolate affected systems, revoke compromised credentials, and stop the breach from spreading.
72-hour supervisory authority notification
Where a breach poses a risk to individuals, we notify the Hungarian data protection authority (NAIH) within 72 hours of discovery, as required by GDPR Article 33.
Customer notification without undue delay
We notify affected customers promptly, with a clear description of what happened, what data was involved, and what we are doing about it.
Full post-incident review
After every incident, we conduct a root-cause analysis and update our controls and procedures to prevent recurrence. Findings are documented and retained.

For incidents involving PHI under our Business Associate Agreements, we also follow the breach notification requirements of 45 CFR Part 164, Subpart D, including notifying Covered Entities within the timeframes specified in the applicable BAA.

Your security responsibilities
Security is a shared responsibility

Hipafy secures the platform. You secure your access to it. Here is what we recommend:

Use a strong, unique password
Use a password manager (Bitwarden, 1Password) to generate and store a unique password for your Hipafy account. Never reuse passwords across services.
Enable multi-factor authentication
Enable MFA on your Hipafy account (when available) and on your email account. Your email is the recovery path for your account — protect it as carefully as your EHR login.
Do not enter patient PHI into the platform
Hipafy does not require and should not receive individual patient records. Answer assessment questions with practice-level information only — not patient-specific data.
Report suspicious activity immediately
If you notice unexpected activity on your account — logins you did not perform, documents you did not generate — contact security@hipafy.com immediately.
Manage staff access carefully
When a staff member leaves your practice, remove their access to the Hipafy training module promptly. This is the same principle we teach in our training content.
Responsible disclosure
Found a vulnerability? Tell us first.

If you believe you have discovered a security vulnerability in Hipafy’s platform or website, we ask that you disclose it to us responsibly before making it public. We are committed to working with security researchers in good faith.

To report a vulnerability: Email security@hipafy.com with a description of the vulnerability, steps to reproduce it, and your assessment of potential impact. Please include “Responsible Disclosure” in the subject line.

Our commitments to researchers: We will acknowledge your report within 2 business days, keep you informed of our progress, work to remediate confirmed vulnerabilities promptly, and not take legal action against researchers who act in good faith.

Out of scope: Social engineering attacks on Hipafy staff, physical access attacks, denial-of-service attacks, spam, and issues in third-party services not under Hipafy’s control.

Security questions or concerns?

Contact our security team directly. We take all reports seriously and respond within 2 business days.

Email security@hipafy.com →
Last updated: May 8, 2026  ·  For questions, contact security@hipafy.com