Compliance Statement

Plain-English statement: HippoHandover is not currently SOC 2 certified. SOC 2 is an external audit performed by a CPA firm and is on our roadmap. PHIA is not a certification anyone can buy — it is a regulatory framework we comply with through documented controls. Compliance with your institution's privacy policy remains your responsibility and your institution's.

1. Controls in place today

• Access control: email + password (bcrypt cost 12), HTTP-only Secure SameSite session cookie, 8-hour idle timeout, rate-limited authentication, branch-scoped RBAC, leader-approved service membership.
• Audit logging: every patient view, write, archive, restore, handover generation, and policy attestation is recorded.
• Transport & headers: HTTPS-only, HSTS preload, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, no DNS prefetch.
• Data hygiene: no PHI in URLs, page titles, browser notifications, localStorage, or analytics. No third-party trackers or ad networks.
• Encryption: TLS 1.2+ in transit, provider-managed encryption at rest, no plaintext passwords.
• AI guardrails: AI features off by default; activate only with an institution-approved provider; outputs labelled clinician-review-required and audit-logged.
• Versioned policy attestation: each user's acceptance of each policy version is logged with timestamp and context (signup vs login).
• Defensive coding: rate limits on auth, idempotent migrations, branch-scoped queries, server-side input validation (Zod).

2. SOC 2 Trust Service Criteria — current self-assessment

This is a self-assessment, not an audited opinion. We map current controls to SOC 2 criteria so an institution's privacy/security team can quickly gauge fit:

• Security (CC1–CC9): access controls, audit logs, secure SDLC on Vercel, change tracking via git + migrations, vendor risk via DPA where available.
• Availability (A1): hosted on Vercel + Supabase; institutions should plan a paper-or-EMR fallback.
• Confidentiality (C1): PHI handled per Privacy Policy; AI providers receive only authorised, scoped context.
• Processing Integrity (PI1): server-side validation, idempotent migrations, type-safe API.
• Privacy (P1): Privacy Policy aligned with PHIA/PIPEDA; consent captured per user per policy version.

3. PHIA alignment

• Reasonable administrative and technical safeguards.
• Need-to-know access controls scoped by service membership.
• Breach-response notification commitments.
• Retention controls.
• User attestation log evidencing informed consent.

4. Your institution's responsibility

• Confirming HippoHandover may be used with your patient population under institutional policy.
• Provisioning and de-provisioning user accounts at appropriate role.
• Configuring AI providers with appropriate contractual protections (BAA, zero retention).
• Periodic audit log review.
• Approving updates that change data processing in any material way.

5. Roadmap

• SOC 2 Type I audit, target within 12 months of broad institutional rollout.
• Optional MFA via TOTP authenticator app.
• Cross-instance rate limiting replacing in-memory limiter.
• Annual external penetration test.

6. Reporting a vulnerability

Email security@hippomedicine.com with reproduction steps. Acknowledged within 48 hours.