1. Our Security Commitment
elev8 serves behavioral health organizations, where data protection is mission-critical. We design our systems and processes to safeguard the confidentiality, integrity, and availability of the information entrusted to us, and to support our clients in meeting their own HIPAA and 42 CFR Part 2 obligations.
2. Encryption
All data is encrypted in transit using TLS/SSL. Sensitive data is encrypted at rest using industry-standard algorithms. Encryption keys are managed through our cloud provider’s key management service with restricted access.
3. Access Controls
We enforce role-based access controls and the principle of least privilege. Access to systems containing client data is restricted to authorized personnel, requires individual credentials, and is reviewed regularly. Administrative access requires multi-factor authentication.
4. Audit Logging & Monitoring
Access to client data is logged with timestamp, user identity, and action performed. Access logs are retained for a minimum of 12 months, and HIPAA-required security documentation is retained for six years in accordance with 45 CFR §164.316(b)(2). Systems are continuously monitored for anomalous activity.
5. Infrastructure & Subprocessors
Our infrastructure runs on Amazon Web Services (AWS), which maintains SOC 2, ISO 27001, and HIPAA-eligible certifications. We engage a limited set of vetted subprocessors to deliver our services, each bound by data protection terms. A current subprocessor list is available on request.
6. Incident Response
We maintain a structured incident response plan covering detection, containment, assessment, notification, and remediation. Affected clients are notified within 24 hours of breach confirmation, and all required regulatory notifications are filed in accordance with HIPAA’s Breach Notification Rule (45 CFR §164.404 / §164.410) within 60 days of discovery, as well as applicable state laws.
7. Business Associate Agreements
For clients whose workflows require elev8 to handle data that may constitute PHI, a Business Associate Agreement (BAA) is available. To request a BAA, contact our compliance team at [email protected].
8. Reporting a Vulnerability
If you believe you have found a security vulnerability, please report it to [email protected]. We investigate all good-faith reports and will acknowledge your submission.
This page is provided for general informational purposes and does not constitute legal advice. Questions about this document or how elev8 handles your information?