We know that security matters, that’s why we take the extra measures to make everything compliant and safe.

Rest easy that everything in grafo is compliant, if you have any more questions or reservations then do not hesitate to reach out below.

 

There are many things that go into being HIPAA (US), PIPEDA (Canada), and GDPR (UK) compliant. When our customers ask us about security, they are generally looking for information on the following:

Encryption

When your data is travelling from your device to our servers (in transit), it’s encrypted using HTTPS (end-to-end encryption).

Activity monitoring

Every time a client file is accessed or edited, we store who had access, what time they accessed the information, and the IP address of the device’s location.

Password protection

Not fully convinced about keeping it all online and having nothing offline? Well we’ve catered for that too, we’ve created a summary page that you can export or just save online to refer back to at any stage.

Backups

All of your data is backed up several times each day and the last backup from each day is stored on a totally separate server, in a separate location, with a different provider to mitigate risk.

Security best practices

grafo is designed and managed in alignment with security best practices and a variety of IT security standards, including:

  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)

  • SOC 2

  • SOC 3

  • FISMA, DIACAP, and FedRAMP

  • DOD CSM Levels 1-5)

  • PCI DSS Level 1

  • ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018

  • ITAR

  • FIPS 140-2

  • MTCS Level 3

  • HITRUST

Business Associate Agreement

A Business Associate Agreement (BAA for short) is a document that HIPAA requires you (a healthcare business) to have with us (your software provider). While grafo doesn't directly collect PHI, it's used to store PHI. It's basically meant to ensure that both parties (you and us) are adhering to HIPAA, and it outlines what's required on each side if a breach were to occur.

Appointed Privacy Officers

As required by HIPAA, we've appointed Privacy Officers. These folks will ensure that grafo remains compliant—as well as make sure that BAAs are sent out and completed in a reasonable time! They're also responsible for ensuring that all grafo team members are properly trained on HIPAA and understand the importance of securing PHI. 

Our Privacy Officers can be contacted at info@grafnote.com

Join the last ever clinical notes product you’ll ever need…