We are committed to protecting the security, privacy, and integrity of your data on the Health Cloud platform. This Security Notice outlines our approach to safeguarding information (including any Protected Health Information, or “PHI”) and our compliance efforts under applicable law, such as the Health Insurance Portability and Accountability Act (“HIPAA”) and industry security standards like SOC 2. We have implemented a comprehensive security program with risk-based measures and will continue to refine these controls as we progress through our beta and beyond.

All sensitive data entrusted to Health Cloud is encrypted both in transit and at rest. We use strong, industry-standard encryption protocols (such as TLS 1.2+ for data in transit) to protect data as it travels between your device and our servers. Likewise, data stored on our systems (including databases, backups, and file storage) is encrypted using robust algorithms (such as AES-256 encryption for data at rest). These encryption measures help ensure that PHI and other confidential information cannot be read or accessed by unauthorized parties, even if intercepted or improperly accessed.

Health Cloud is hosted on a secure cloud infrastructure with rigorous protections (for example, a HIPAA-compliant environment on Amazon Web Services or a comparable provider). Our cloud servers reside in facilities with strong physical security controls (guarded data centers, biometric access, surveillance, and redundant power and cooling). At the network level, we use firewalls, virtual private networks (VPC), and other isolation techniques to segregate and protect data. We have also executed the required Business Associate Agreements (BAAs) with our cloud hosting providers and other relevant vendors. This ensures that our partners are contractually committed to protecting PHI in compliance with HIPAA’s requirements. We continuously monitor and harden our infrastructure following security best practices and frameworks.

We enforce strict access controls and authentication mechanisms to limit access to sensitive data. Access to PHI and critical systems is provided on a need-toknow, least-privilege basis. Authorized users (whether healthcare providers using the Platform or our internal administrators) must authenticate through secure methods (such as strong passwords and, for administrative access, multi-factor authentication). Rolebased access controls govern what each user or team member can see and do, ensuring that each person can only access the minimum necessary data and functions for their role. We maintain unique user IDs and require secure credentials; shared accounts are avoided. Additionally, our team members undergo background checks (where appropriate) and HIPAA/security training to further protect against unauthorized data access.

Health Cloud maintains detailed audit logs of system activity to facilitate oversight and accountability. We log user access and actions performed on the Platform, especially any access to PHI or changes to sensitive settings. These logs record the timestamp, user identity, and nature of each action. Our systems are configured with automated monitoring and intrusion detection tools that alert us to unusual or suspicious activities (such as multiple failed login attempts or anomalous data access patterns). We perform regular reviews of log data and employ security personnel or services to investigate potential incidents proactively. Periodic vulnerability scans and penetration tests are conducted on our applications and infrastructure to identify and address security weaknesses before they can be exploited.

In the event of a security incident, data breach, or any suspected compromise of PHI, Health Cloud has a formal incident response plan in place. We will immediately work to contain and investigate the incident, mitigate any vulnerabilities, and remediate the effects. If a data breach involving PHI occurs, we will provide timely notification to affected users and, if required, to regulators (such as the U.S. Department of Health and Human Services) in accordance with applicable breach notification laws (including the HIPAA Breach Notification Rule). Our notification would include information about what happened, what data might be involved, steps we are taking in response, and guidance on what you can do to protect yourself. We are dedicated to full transparency and will take all required steps to inform and protect our users in the rare event of a privacy or security incident.

We designed our security program to meet the safeguards required under HIPAA for protecting electronic PHI. This includes implementing the necessary administrative, technical, and physical safeguards outlined in the HIPAA Security Rule. Examples of our efforts include conducting regular risk assessments and security evaluations, instituting workforce training and policies on handling PHI, and establishing procedures for data backup, secure disposal of data, and incident handling as described above. We also enter into BAAs with any downstream service providers who might handle PHI on our behalf, ensuring they are also obligated to protect your data. Health Cloud abides by HIPAA’s Privacy Rule regarding the use and disclosure of PHI, meaning we only use or share your health data as allowed by law or with your authorization. Our commitment to HIPAA compliance is continuous — we regularly review and update our privacy and security practices to adapt to new regulations or guidance and to maintain a high standard of care for sensitive health information.

In addition to HIPAA, we are pursuing compliance with the Service Organization Control (SOC) 2 Trust Services Criteria, which is a rigorous standard for security and data protection in cloud-based services. We are aligning our internal controls and policies with SOC 2 requirements covering areas such as security, availability, processing integrity, confidentiality, and privacy. As part of this effort, we plan to undergo an independent SOC 2 Type II audit by reputable third-party auditors. This audit will evaluate the design and operating effectiveness of our security controls over an extended period. Successfully completing a SOC 2 Type II examination will validate that our security program meets the high industry benchmark expected by enterprise clients. Even as we work toward certification, we model our practices on recognized frameworks (such as NIST and CIS benchmarks) to ensure robust protection of user data.

Please note that while we employ state-of-the-art security measures and follow industry best practices, no system can be 100% secure. Cyber threats and technologies continue to evolve, and there is always a residual risk of a breach despite all precautions. We cannot guarantee absolute security of your data. However, we are deeply committed to safeguarding your information. We continuously update our security protocols, invest in improvements, and vigilantly monitor for threats in order to protect your data to the greatest extent possible. Your trust is of paramount importance to us, and we will remain transparent and proactive in our security efforts.