HippoHandoverData Processing Notes
Version 2026.05.02 · Effective 2026
1. Data we process for you
On your behalf we process the categories listed in the Privacy Policy: account data, clinical records, audit logs, push subscriptions, and policy attestations. Patient row data is encrypted in transit and at rest by our database provider.
2. Sub-processors
| Sub-processor | Role | Region | What they touch |
|---|---|---|---|
| Vercel Inc. | Application hosting + CDN | Global edge; functions in user-selected region | Authenticated requests, including encrypted patient row data passing through serverless functions. |
| Supabase | Managed PostgreSQL | Configured per project (e.g. ca-central-1) | Persistent storage of account, clinical, and audit data with provider-managed encryption. |
| Groq Inc. (optional) | LLM inference (handover drafts, list extraction) | US (Groq cloud) | Only the structured patient context already on the user's authorised list. No persistent storage by Groq under the configured zero-retention path. |
| Anthropic (optional) | Alternate LLM provider | US | Same as Groq when configured. |
3. Encryption
- TLS 1.2+ in transit between user devices, our app, and our database.
- Provider-managed encryption at rest for the database.
- Bcrypt (cost factor 12) for password hashes — passwords are never stored in plaintext.
- Web Push payloads are encrypted with the browser's VAPID p256dh + auth keys.
4. Access controls
- Specialty-branch RBAC scoping every patient query to the user's active service.
- Service membership requires leader approval.
- Audit log on every patient view and write (see Audit & Retention Policy).
5. Retention & deletion
See the Privacy Policy and the bundled AUDIT_RETENTION.md document. On deletion request, records are removed within 30 days unless retention is required by law or institutional policy.
6. Incident response
We notify institutional contacts within 72 hours of confirmed unauthorised access to identifiable data, faster where required by jurisdiction. Users in the affected scope are notified per institutional preference.
7. International transfers
Where data crosses borders, we rely on contractual safeguards equivalent to the protections in the Privacy Policy. Patient row data is not sent to LLM providers unless the institution explicitly opts in.