Trust Center — Privacy, Security & Compliance
FIZIAL operates a generic/healthcare-grade Software-as-a-Service (SaaS) platform designed for compliance with GDPR, UK GDPR, HIPAA, SOC 2, and ISO/IEC 27001.
FIZIAL supports independent clinics, multi-location providers, enterprise healthcare organizations, and regulated medical service operators.
Privacy Policy
Customers act as Data Controllers. FIZIAL acts as a Data Processor under GDPR and a Business Associate under HIPAA. Personal data and Protected Health Information are processed solely to provide contracted services.
HIPAA Business Associate Agreement (BAA)
1. Definitions (HIPAA)
- Covered Entity has the meaning set forth in 45 CFR §160.103.
- Business Associate means FIZIAL as defined in 45 CFR §160.103.
- Protected Health Information (PHI) has the meaning set forth in 45 CFR §160.103.
- Security Incident has the meaning set forth in 45 CFR §164.304.
- Breach has the meaning set forth in 45 CFR §164.402.
2. Permitted Uses and Disclosures
- Provision of SaaS services under the master services agreement
- System administration, maintenance, and security operations
- Compliance with applicable law and regulatory obligations
PHI is never used for advertising, marketing, profiling, or unrelated analytics.
3. Safeguards
- Administrative, technical, and physical safeguards per 45 CFR §164
- Encryption of PHI at rest and in transit
- Role-based access controls and least-privilege enforcement
- Comprehensive audit logging and monitoring
4. Breach Notification
FIZIAL shall notify the Covered Entity without unreasonable delay and no later than 60 days following discovery of a Breach.
5. Subcontractors
All subcontractors with access to PHI are subject to written agreements imposing HIPAA-equivalent obligations.
6. Termination
Upon termination, PHI shall be returned or securely destroyed. If destruction is infeasible, protections shall survive indefinitely.
This Agreement may be executed electronically. Signed HIPAA Business Associate Agreements are available upon request.
GDPR Data Processing Agreement (DPA)
1. Definitions (GDPR)
- Personal Data has the meaning set forth in Article 4(1) GDPR.
- Processing has the meaning set forth in Article 4(2) GDPR.
- Controller has the meaning set forth in Article 4(7) GDPR.
- Processor has the meaning set forth in Article 4(8) GDPR.
- Special Categories of Data has the meaning set forth in Article 9 GDPR.
2. Roles
- Controller: Healthcare Provider
- Processor: FIZIAL
3. Subject Matter & Purpose
Processing of healthcare, administrative, and operational data to provide clinic management SaaS services.
4. Processor Obligations
- Process data only on documented instructions (Article 28)
- Maintain confidentiality commitments
- Implement appropriate technical and organizational measures (Article 32)
- Assist with data subject rights requests
- Notify personal data breaches within 72 hours
5. International Transfers
Cross-border transfers are safeguarded using Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreements (IDTA), where applicable.
Signed GDPR Data Processing Agreements are available upon request.
Incident Response & Breach Handling
- 24/7 security monitoring and alerting
- Incident classification and escalation procedures
- Customer notification workflows
- Post-incident investigation and remediation
Availability & Service Level Commitments
- Target uptime: 99.9%
- Redundant cloud infrastructure
- Daily encrypted backups
- Disaster recovery and business continuity testing
Formal Service Level Agreements are provided contractually.
Sub-Processors
All sub-processors are vetted and contractually bound to equivalent data protection, confidentiality, and security obligations.
| Category | Purpose | Region |
|---|---|---|
| Cloud Infrastructure | Hosting and data storage | EU / US |
| Email Delivery | Transactional communications | Global |
| Monitoring & Logging | Security and reliability | EU / US |
Regulatory Mapping
| Framework | Coverage |
|---|---|
| HIPAA | Privacy Rule, Security Rule, Breach Notification Rule |
| GDPR | Articles 5, 6, 9, 28, 32, 33 |
| SOC 2 | Security, Availability, Confidentiality |
| ISO 27001 | Risk, Access Control, Incident Management, Continuity |
Document Governance
- Version: 1.0
- Effective Date: January 1, 2026
- Review Cycle: Annual
Material changes are communicated contractually or through the platform.
Country & Jurisdiction-Specific Annexes
FIZIAL provides jurisdiction-specific data protection and compliance annexes to support local regulatory requirements and supervisory authority expectations. These annexes form part of the contractual data protection framework.
- European Union (EU): Country-specific GDPR annexes (e.g., Germany, France, Netherlands), including local supervisory authority references and health data nuances.
- United Kingdom (UK): UK GDPR annex, incorporating the Data Protection Act 2018 and UK International Data Transfer Agreement (IDTA).
- United States (US): HIPAA-focused annexes aligned with federal requirements and applicable state-level healthcare privacy laws.
- Other Jurisdictions: Annexes for Canada (PIPEDA), Australia (Privacy Act), and other regions are available upon request.
Annexes are provided during procurement, contract negotiation, or regulatory review processes.
Control-to-Regulation Mapping
FIZIAL maintains a formal control mapping that links internal security, privacy, and operational controls directly to regulatory and assurance frameworks. This mapping supports audits, customer due diligence, and regulatory inspections.
| Framework | Mapped Controls | Purpose |
|---|---|---|
| HIPAA | Administrative, Technical, Physical Safeguards | Healthcare privacy and security compliance |
| GDPR / UK GDPR | Articles 5, 6, 9, 28, 30, 32, 33 | Lawful processing and data protection |
| SOC 2 | CC Series Controls | Security, availability, confidentiality assurance |
| ISO/IEC 27001 | Annex A Controls | Information Security Management System (ISMS) |
Control-to-regulation mapping documentation is available under NDA.
SOC 2 Reports & Audit Evidence
FIZIAL undergoes independent third-party audits to validate the effectiveness of its security and availability controls.
- SOC 2 Type I: Design of controls at a point in time
- SOC 2 Type II: Operating effectiveness over a review period
SOC 2 reports include coverage of:
- Security
- Availability
- Confidentiality
Reports and supporting audit evidence are made available to customers and prospects under a non-disclosure agreement (NDA).
Trust Center Portal
FIZIAL maintains a centralized Trust Center portal for customers, partners, and regulators to access compliance documentation.
The Trust Center includes:
- Privacy Policy, HIPAA BAA, and GDPR DPA
- Sub-processor lists and updates
- SOC 2 reports and certifications
- Security whitepapers and architecture overviews
- Incident response summaries and notifications
Access to restricted materials is governed by role-based permissions and contractual requirements.
Procurement & Due Diligence Support
FIZIAL supports customer procurement, legal, compliance, and information security teams throughout vendor risk assessment processes.
- Security questionnaires (SIG, CAIQ, custom)
- Data protection impact assessments (DPIAs)
- Vendor risk and compliance reviews
- Regulatory inquiry and audit support
Dedicated compliance and security contacts are available to support enterprise and regulated customers.
Automated Change Logs
FIZIAL implements an automated change log system for all compliance-related documents, configurations, and platform updates.
- Tracks changes to Privacy Policy, BAA, DPA, and security policies
- Maintains timestamped version history accessible to authorized personnel
- Supports audit requests and regulatory reviews
- Enables proactive notifications to customers and stakeholders
This system ensures transparency and traceability for all compliance artifacts.
Real-Time Sub-Processor Notifications
FIZIAL provides real-time notifications to customers regarding changes to sub-processors or new engagements that may involve personal data or PHI.
- Immediate notification for new sub-processors with relevant scope
- Updates to existing sub-processor contracts, security posture, or certifications
- Centralized reporting via Trust Center portal
- Ability to review and object to sub-processors within contractual notice period
This process ensures customers maintain continuous oversight over their data.
Signed Artifact Downloads
Customers and authorized partners can download signed and timestamped copies of key compliance documents directly from the Trust Center.
- Privacy Policy (PDF + digital signature)
- HIPAA Business Associate Agreement (BAA)
- GDPR Data Processing Agreement (DPA)
- SOC 2 and ISO/IEC 27001 certificates
- Sub-processor agreements and attestation letters
All downloads are cryptographically verified and tamper-evident, ensuring regulatory defensibility.
Public / Private Trust Center
FIZIAL operates a dual-layer Trust Center to optimize transparency and security:
- Public Trust Center: High-level compliance overview, SOC 2 summary, standard privacy policies, and certifications
- Private Trust Center: Customer-specific artifacts, signed agreements, audit reports, sub-processor details, and detailed operational evidence
Access is controlled via identity management and role-based permissions, ensuring that sensitive compliance information is only available to authorized users.
Automated Regulatory Updates
FIZIAL maintains a system that monitors regulatory changes impacting HIPAA, GDPR, UK GDPR, ISO 27001, SOC 2, and other applicable frameworks.
- Tracks regulatory guidance, laws, and standards changes in real-time
- Automatically flags impacted policies, controls, and customer obligations
- Generates update recommendations for internal teams and customers
- Ensures continuous compliance with minimal manual intervention
This automated approach enhances agility, reduces risk, and supports enterprise-level regulatory governance.
Effective Date: January 1, 2026 Last Updated: January 1, 2026
1. Introduction
This Privacy Policy explains how [Company Name] (“Company,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information when providing our Software-as-a-Service (SaaS) clinic management platform (the “Services”). Our Services are designed for healthcare providers, clinics, and allied health organizations to manage operations, patient scheduling, records, billing, and communications. We are committed to protecting personal data and complying with applicable privacy and data protection laws, including: General Data Protection Regulation (GDPR) Health Insurance Portability and Accountability Act (HIPAA) Applicable national and regional data protection laws
2. Scope of This Policy
This Privacy Policy applies to:
Clinic administrators, staff, and authorized users (“Customers”)
Website visitors
End patients whose data is processed on behalf of our Customers
This policy does not apply to third-party services integrated with our platform, which are governed by their own privacy policies.
3. Roles Under Data Protection Laws
3.1 Data Controller (GDPR)
Customers (clinics and healthcare providers) are the Data Controllers of patient and clinical data.
3.2 Data Processor
[Company Name] acts as a Data Processor, processing data solely on documented instructions from Customers.
3.3 HIPAA Role
Under HIPAA, [Company Name] operates as a Business Associate and processes Protected Health Information (PHI) only as permitted under applicable Business Associate Agreements (BAAs).
4. Information We Process
4.1 Information Provided by Customers
Clinic and organization details User account credentials Scheduling, billing, and operational data Patient records, notes, and clinical documentation (PHI)
4.2 Information Collected Automatically
IP address and device information Log files and system usage data Browser type and operating system Date/time of access and activity history
4.3 Information We Do Not Collect
We do not sell personal data
We do not use PHI for advertising or marketing
We do not access patient data outside authorized processing
5. Legal Bases for Processing (GDPR)
We process personal data under the following lawful bases:
Performance of a contract (providing SaaS services) Legal obligations (healthcare, tax, and security laws) Legitimate interests (platform security, fraud prevention) Explicit consent, where required by law
6. How We Use Information
We use information solely to:
Provide, operate, and maintain the Services Secure and authenticate user access Enable clinic workflows and patient management Monitor system performance and security Comply with legal and regulatory requirements Provide customer support and service updates
7. HIPAA Compliance & PHI Safeguards
We implement administrative, technical, and physical safeguards including:
Encryption at rest and in transit Role-based access controls Audit logs and access monitoring Data minimization and isolation Staff training on HIPAA and data security PHI is accessed only as necessary to provide contracted services.
8. Data Sharing and Disclosure
We may share data only with:
Authorized Customer users Sub-processors under strict contractual obligations Regulatory authorities when legally required All sub-processors are vetted for GDPR and HIPAA compliance. A current list of sub-processors is available upon request.
9. International Data Transfers
Where data is transferred outside its country of origin, we ensure appropriate safeguards, including:
Standard Contractual Clauses (SCCs) Data Processing Agreements (DPAs) Equivalent legal protections
10. Data Retention
We retain personal data only for as long as:
Required to provide the Services Required by law or regulation Instructed by Customers Upon contract termination, data is returned or securely deleted according to documented procedures.
11. Data Subject Rights (GDPR)
Individuals may have the right to:
Access their personal data Rectify inaccurate data Request erasure (“right to be forgotten”) Restrict or object to processing Data portability
Requests should be directed to the relevant clinic (Data Controller). We assist Customers in fulfilling these requests as required by law.
12. Security Measures
We maintain an enterprise-grade security program including:
ISO-aligned security practices Regular vulnerability assessments Incident response and breach notification procedures Secure data centers and infrastructure In the event of a data breach, we notify affected Customers without undue delay.
13. Cookies & Tracking
We use essential cookies and similar technologies for:
Authentication Session management Security We do not use cookies for behavioral advertising involving PHI.
14. Children’s Privacy
Our Services are not intended for use by children directly. Any data relating to minors is processed only under the authority of healthcare providers in compliance with applicable laws.
15. Changes to This Privacy Policy
We may update this Privacy Policy periodically. Material changes will be communicated through the platform or via email. Continued use of the Services constitutes acceptance of the updated policy.
16. Contact Information
For privacy or data protection inquiries, contact:
Data Protection Officer
[Company Name]
Email: privacy@episoft.com
Address: [Company Address]