Secure Medical Communication

HIPAA-Ready Email Communications for Healthcare Organizations

Healthcare organizations trust Cyberimpact to communicate securely with patients, members, staff, and stakeholders through a platform designed with strong security and privacy safeguards.

Cyberimpact supports healthcare organizations by providing administrative, technical, and organizational measures designed to help customers meet their HIPAA compliance obligations when using our platform appropriately.

Two healthcare professionals are viewing a computer
Two employees are reviewing data on a laptop in front of a server rack

Supporting HIPAA Requirements

Cyberimpact maintains security practices designed to support organizations subject to the Health Insurance Portability and Accountability Act (HIPAA), including safeguards aligned with the HIPAA Security Rule.

HIPAA does not provide a formal certification program. Cyberimpact maintains safeguards designed to support organizations subject to HIPAA requirements and regularly reviews its security controls as part of its ongoing security program.

Our approach includes:

BulletAligning

Encryption in transit and at rest

BulletAligning

Role-based access controls

BulletAligning

Multi-factor authentication for internal systems

BulletAligning

Security monitoring and logging

BulletAligning

Regular penetration testing and security assessments

BulletAligning

Incident response and security management procedures

BulletAligning

Vendor and infrastructure security reviews

BulletAligning

Access management and least-privilege practices

BulletAligning

Secure hosting infrastructure

Our security and governance practices are continuously reviewed as part of our broader commitment to protecting customer data and maintaining platform integrity.

SOC 2 Type 2 attestation

SOC 2 Type 2

Data encryption

Encryption via TLS 1.2/1.3 and AES-256

Multi-factor authentication

Multi-factor authentication (MFA)

Securely Hosted Data

Securely Hosted Data

Web application firewall

Web Application Firewall (WAF)

DDoS protection

DDoS protection

Daily encrypted backups

Daily encrypted backups

Role-Based Access Controls

Role-Based Access Controls

Security Framework and Best Practices

Cyberimpact implements security measures designed to support organizations subject to HIPAA requirements. This section outlines certain practices, responsibilities, and important considerations related to the use of our platform.

Business Associate Agreements (BAAs)

Cyberimpact can provide Business Associate Agreements (BAAs) for eligible customers handling Protected Health Information (PHI).

Organizations requiring a BAA may contact our team to discuss their security, privacy, and compliance requirements.

Shared Responsibility Model

HIPAA compliance is a shared responsibility between Cyberimpact and its customers.

Compliance with HIPAA ultimately depends on how each organization configures, uses, and governs its own environment, processes, and data. Cyberimpact provides safeguards and contractual commitments designed to support HIPAA compliance, but customers remain responsible for meeting their own legal, regulatory, and operational obligations.

While Cyberimpact provides safeguards and contractual commitments designed to support HIPAA compliance, customers remain responsible for:

  • Configuring and using the platform appropriately
  • Managing user access and permissions
  • Determining what information is transmitted through email
  • Ensuring their own internal policies and workflows comply with applicable laws and regulations

Recommended Best Practices

To help minimize risk and protect sensitive information, Cyberimpact recommends that customers:

  • Avoid including unnecessary medical or sensitive information in email content
  • Limit the use of Protected Health Information (PHI) to what is strictly necessary
  • Use secure portals or controlled-access environments for highly sensitive healthcare information
  • Implement internal policies governing the appropriate handling of PHI
  • Apply least-privilege access practices within their organization

Security-First Infrastructure

Cyberimpact maintains a security-focused operational approach designed to support reliability, confidentiality, and data protection.

Our broader security program includes ongoing governance, infrastructure monitoring, vulnerability management, and third-party security assessments.

To learn more about our security practices, please visit our Trust Center.

Ontario Healthcare Organizations

Are you an Ontario healthcare organization and would like to learn more about Cyberimpact's privacy and security practices in relation to the Personal Health Information Protection Act (PHIPA)?

Learn more about our PHIPA-related practices and privacy safeguards.

Learn About PHIPA Compliance

Contact Us

Questions about HIPAA, healthcare use cases, or Business Associate Agreements?

Contact our team to discuss your organization’s compliance and security requirements. Contact us

Documents we can provide

Cyberimpact provides a set of documents intended for security, compliance, and IT governance teams.

Due to their sensitive nature, some documents require the signing of a non-disclosure agreement (NDA)

To obtain a document subject to an NDA, please complete the form below.

Documents available under NDA

(sensitive information)


Cyberimpact’s HIPAA Security Practices
Overview of the key administrative, technical, and organizational measures implemented to support organizations subject to HIPAA requirements.


Business Associate Agreements (BAA)
Agreement governing the handling of Protected Health Information (PHI) in accordance with HIPAA requirements.


System Security Plan (SSP)
Structured description of our architecture, controls, processes, and security operating model.


GDPR Compliance Assessment
Analysis of practices related to the management of personal data and their alignment with GDPR.


Technical architecture (high-level diagram)
Overview of the service architecture, including main components, data flows, and the overall organization of the system.


HECVAT lite 2.11
Standardized security and privacy assessment questionnaire (Higher Education Community Vendor Assessment Toolkit), used by educational institutions to assess risks related to technology service providers.


VPAT 2.5 (Accessibility)
Declares the level of compliance of our platform in terms of digital accessibility.

Documents available without NDA


SOC 2 Type 2 Summary Letter
Summarizes the SOC 2 attestation without disclosing sensitive information.
Access now


Privacy Policy
Presents our practices for managing and protecting personal information.
Access now


Anti-spam Policy
Explains the mechanisms put in place to comply with Canadian anti-spam legislation.
Access now


Terms and Conditions
Describes contractual obligations, responsibilities, and limitations of service use.
Access now

Document request form


To obtain one of our official documents available under NDA, such as our full SOC 2 report, our SSP, our GDPR assessment, or our VPAT, please complete the form below.

We invite you to provide the necessary information to allow us to process your request efficiently and provide you with documents tailored to your context.

We generally respond to requests within 3 to 5 business days*.

*Cyberimpact reserves the right not to respond to a request deemed not relevant or insufficiently justified in order to protect the confidentiality of sensitive information.

Cyberimpact — All rights reserved.