Trust & Security

How we protect your data

Built for healthcare buyers: procurement data only, analyzed privately, never sold. Here's exactly how it works.

No PHI collected

Our tools process business/procurement data — product, quantity, price, vendor, department. We never ask for, and you should never upload, patient or clinical data.

Your data stays yours

Private pilot workspaces analyze your upload in-session and don't store it in any shared index. Nothing is pooled or sold.

Encrypted in transit & at rest

All traffic uses TLS 1.2+ (HTTPS). Stored data (leads, orders, pricing) is encrypted at rest with AES-256 by our hosting provider (Netlify), behind authenticated admin tools.

No payment data on-site

Orders are requests, not charges — we don't process card or bank data on the website.

Data handling

  • What we process: supply-spend line items, product searches, and contact/order details you submit.
  • In-session analysis: for pilot/benchmark workspaces, uploads are processed to produce your report and are not retained in a shared index. Any "improve our benchmarks" option is opt-in and retains only anonymized item/price/vendor data — never tied to your identity.
  • Buy-side and honest by design: every figure traces to real data or is labeled an estimate; our tools never fabricate a price or a clinical-safety claim.

Sub-processors

  • Netlify — hosting and encrypted data storage.
  • OpenAI — AI features (advisor summaries, Product Finder, invoice reading, categorization). Only the text needed for the feature is sent; the advisor receives computed findings, not raw line items. Do not enter PHI.
  • HubSpot — CRM for leads and inquiries.

Encryption

Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256) via our hosting provider, Netlify. We store business/procurement data only — no PHI.

Access & administration

Administrative and pricing tools are protected behind authentication and are not publicly accessible. Access is limited to authorized DHI personnel.

Compliance posture & roadmap

  • HIPAA: because we do not collect or process PHI, DHI does not act as a HIPAA Business Associate for these tools. If an engagement ever requires PHI, we would scope it and execute a Business Associate Agreement first.
  • SOC 2 Type II: on our compliance roadmap; we are building toward a formal attestation and can share our current security documentation on request.
  • Domestic operations and SAM.gov-registered prime contractor (UEI V93LC35DCVN5).

Security questions or a vendor review?

We're glad to complete a security questionnaire or walk your team through our controls. Contact steve@digitalhealthinternational.com · (919) 275-2474.