HIPAA infrastructure, encryption & data security

Data protection

In transit

All connections use TLS 1.2+ enforced at the edge. HTTPS is required on every endpoint.

At rest

OAuth tokens encrypted with AES-256-CBC. Database encryption provided by managed hosting infrastructure.

Data isolation

Solo / Professional / Business: application-level tenant isolation with row-level security on a shared, compliance-certified cluster. Enterprise: dedicated data plane with restricted database users and IP firewall rules — cluster-level isolation, not logical multi-tenancy.

Backup

Managed database backups with point-in-time recovery. Enterprise: dedicated cluster with independent backup policy.

PHI handling

With an active BAA, PHI flows to BAA-covered inference providers under HASP's own agreements — no redaction required to stay compliant. Your organization chooses how PHI is handled at the AI gateway: allow it through under your BAA, redact it before it reaches a provider, or block it. When you choose redaction, scanning and re-identification run in HASP's own PHI anonymization pipeline (healthcare-specific recognizers running on managed compute inside the HASP compliance boundary) — never delegated to a third party. Requires a signed BAA — contact [email protected] to execute.

Compliance

HIPAA

Full HIPAA controls: PHI scanning at the AI gateway, signed audit chain, dedicated data planes, BAA lifecycle management. PHI mode activates per organization upon BAA execution. Available on all paid plans.

GDPR

Consent capture, self-service data export (right to portability), account deletion (right to erasure), cookie consent banner, and a published DPA available for all customers.

CCPA

Supported via the same self-service data export and deletion capabilities.

PIPEDA

Compliant with Canada's Personal Information Protection and Electronic Documents Act. PIPEDA's ten fair-information principles are satisfied by the same control set that underpins GDPR compliance, with cross-border transfer accountability discharged through contractual clauses in our DPA.

Proposed CPPA (Bill C-27)

Canada's Bill C-27 proposes the Consumer Privacy Protection Act as PIPEDA's successor. The bill is not yet law. HASP's existing control set is designed to satisfy it ahead of enactment — no new claims are made until the legislation comes into force.

Data residency

Enterprise customers receive a dedicated database cluster with region selection.

Audit logging

Immutable append-only audit trail on every paid plan. Records are Ed25519 hash-chained with RFC 3161 timestamp anchoring. Cryptographic chain integrity is verifiable without HASP software at every tier; Enterprise adds full-log CSV export. Verification recipe →

Audit retention

7 years across every paid tier; Enterprise may configure longer per contract.

SOC 2

Not yet certified. SOC 2 Type II is on the roadmap. The underlying compliance substrate and edge network are SOC 2 certified. This page will be updated when HASP's own certification is complete.

Privacy

Privacy Policy

usehasp.com/privacy — how we collect, use, and protect your data.

Data Processing Agreement

usehasp.com/legal/dpa — governs processing of personal data on your behalf. Contact [email protected] to execute a countersigned copy.

Cookies

Product-analytics cookies (proxied through e.usehasp.com) are only loaded with explicit user consent via the cookie banner. Session cookies are strictly necessary. The runtime domain (usehasp.run) does not load third-party analytics on behalf of your app's end users.

Sub-processors

Full sub-processor list in the DPA and at Trust Center → Sub-processors. 30-day advance notice before any addition or material change.

Do Not Track

HASP honors the Do Not Track (DNT) browser signal. When DNT is enabled, analytics tracking is disabled.

Security contacts