Healthcare organizations trust Cyberimpact to communicate securely with patients, members, staff, and stakeholders through a platform designed with strong security and privacy safeguards.
Cyberimpact supports healthcare organizations by providing administrative, technical, and organizational measures designed to help customers meet their HIPAA compliance obligations when using our platform appropriately.
Cyberimpact maintains security practices designed to support organizations subject to the Health Insurance Portability and Accountability Act (HIPAA), including safeguards aligned with the HIPAA Security Rule.
HIPAA does not provide a formal certification program. Cyberimpact maintains safeguards designed to support organizations subject to HIPAA requirements and regularly reviews its security controls as part of its ongoing security program.
Our approach includes:
Encryption in transit and at rest
Role-based access controls
Multi-factor authentication for internal systems
Security monitoring and logging
Regular penetration testing and security assessments
Incident response and security management procedures
Vendor and infrastructure security reviews
Access management and least-privilege practices
Secure hosting infrastructure
Our security and governance practices are continuously reviewed as part of our broader commitment to protecting customer data and maintaining platform integrity.
SOC 2 Type 2
Encryption via TLS 1.2/1.3 and AES-256
Multi-factor authentication (MFA)
Securely Hosted Data
Web Application Firewall (WAF)
DDoS protection
Daily encrypted backups
Role-Based Access Controls
Cyberimpact implements security measures designed to support organizations subject to HIPAA requirements. This section outlines certain practices, responsibilities, and important considerations related to the use of our platform.
Cyberimpact can provide Business Associate Agreements (BAAs) for eligible customers handling Protected Health Information (PHI).
Organizations requiring a BAA may contact our team to discuss their security, privacy, and compliance requirements.
HIPAA compliance is a shared responsibility between Cyberimpact and its customers.
Compliance with HIPAA ultimately depends on how each organization configures, uses, and governs its own environment, processes, and data. Cyberimpact provides safeguards and contractual commitments designed to support HIPAA compliance, but customers remain responsible for meeting their own legal, regulatory, and operational obligations.
While Cyberimpact provides safeguards and contractual commitments designed to support HIPAA compliance, customers remain responsible for:
To help minimize risk and protect sensitive information, Cyberimpact recommends that customers:
Cyberimpact maintains a security-focused operational approach designed to support reliability, confidentiality, and data protection.
Our broader security program includes ongoing governance, infrastructure monitoring, vulnerability management, and third-party security assessments.
To learn more about our security practices, please visit our Trust Center.
Are you an Ontario healthcare organization and would like to learn more about Cyberimpact's privacy and security practices in relation to the Personal Health Information Protection Act (PHIPA)?
Learn more about our PHIPA-related practices and privacy safeguards.
Questions about HIPAA, healthcare use cases, or Business Associate Agreements?
Contact our team to discuss your organization’s compliance and security requirements. Contact us
Cyberimpact provides a set of documents intended for security, compliance, and IT governance teams.
Due to their sensitive nature, some documents require the signing of a non-disclosure agreement (NDA).
To obtain a document subject to an NDA, please complete the form below.
(sensitive information)
Cyberimpact’s HIPAA Security Practices
Overview of the key administrative, technical, and organizational measures implemented to support organizations subject to HIPAA requirements.
Business Associate Agreements (BAA)
Agreement governing the handling of Protected Health Information (PHI) in accordance with HIPAA requirements.
System Security Plan (SSP)
Structured description of our architecture, controls, processes, and security operating model.
GDPR Compliance Assessment
Analysis of practices related to the management of personal data and their alignment with GDPR.
Technical architecture (high-level diagram)
Overview of the service architecture, including main components, data flows, and the overall organization of the system.
HECVAT lite 2.11
Standardized security and privacy assessment questionnaire (Higher Education Community Vendor Assessment Toolkit), used by educational institutions to assess risks related to technology service providers.
VPAT 2.5 (Accessibility)
Declares the level of compliance of our platform in terms of digital accessibility.
SOC 2 Type 2 Summary Letter
Summarizes the SOC 2 attestation without disclosing sensitive information.
Access now
Privacy Policy
Presents our practices for managing and protecting personal information.
Access now
Anti-spam Policy
Explains the mechanisms put in place to comply with Canadian anti-spam legislation.
Access now
Terms and Conditions
Describes contractual obligations, responsibilities, and limitations of service use.
Access now
To obtain one of our official documents available under NDA, such as our full SOC 2 report, our SSP, our GDPR assessment, or our VPAT, please complete the form below.
We invite you to provide the necessary information to allow us to process your request efficiently and provide you with documents tailored to your context.
We generally respond to requests within 3 to 5 business days*.
*Cyberimpact reserves the right not to respond to a request deemed not relevant or insufficiently justified in order to protect the confidentiality of sensitive information.
Cyberimpact — All rights reserved.