Security & compliance, by design

Health technology lives or dies on trust. We build systems that are designed from the first architecture diagram to support our clients' obligations under HIPAA, PIPEDA, and other privacy regulations — not patched for compliance after the fact.

HIPAA-aligned builds PIPEDA (Canada) Alberta HIA & PHIPA GDPR-aware
Regulatory frameworks

Regulations we design for

Compliance obligations sit with the organization that holds the data — our job is to make sure the software never stands in the way of meeting them.

HIPAA (United States)

For clients serving US patients, we build to the HIPAA Security and Privacy Rules: safeguards for protected health information (PHI), role-based access controls, audit logging, encryption of PHI in transit and at rest, and architectures that support Business Associate Agreement (BAA) obligations with hosting providers.

PIPEDA (Canada)

As a Canadian company, we design to PIPEDA's ten fair information principles: meaningful consent, purpose limitation, data minimization, individual access rights, and appropriate safeguards for personal information handled by the systems we build.

Provincial health acts (HIA, PHIPA)

Health information in Canada is governed provincially. We're based in Alberta and build with the Alberta Health Information Act in mind, and design for Ontario's PHIPA and other provincial frameworks when projects call for it — including data residency requirements for Canadian health data.

GDPR (European Union)

For products with European users, we apply GDPR principles: lawful basis for processing, privacy by design and by default, data subject rights (access, rectification, erasure), and documented data processing flows.

Engineering practices

How we build secure software

Security is a property of the whole development process, not a checklist at the end. These practices apply to every project we take on — and we tighten them further for systems that handle health information.

  • Encryption everywhere. TLS for all data in transit; encryption at rest for databases, backups, and file storage.
  • Least-privilege access. Role-based access control in the products we build, and scoped credentials, MFA, and environment isolation in how we operate.
  • Audit trails. Access to sensitive records is logged so organizations can answer "who saw what, when" — a core requirement of HIPAA and provincial health acts.
  • Secure SDLC. Code review on every change, dependency and vulnerability scanning, secrets management, and separation between development, staging, and production data.
  • Data minimization & residency. We collect only what the product needs, and architect for regional data residency (including Canadian residency for health data) where required.
  • Resilience. Automated backups, tested restore procedures, and monitoring with alerting — because availability is part of security.
  • Confidentiality as standard. NDAs, IP assignment, and discreet handling of client work are part of every engagement.

Building something that handles sensitive data?

Tell us about your regulatory context — we'll walk you through how we'd architect for it, in plain language.

Book a Free Discovery Call