No PHI collected
Our tools process business/procurement data — product, quantity, price, vendor, department. We never ask for, and you should never upload, patient or clinical data.
Your data stays yours
Private pilot workspaces analyze your upload in-session and don't store it in any shared index. Nothing is pooled or sold.
Encrypted in transit & at rest
All traffic uses TLS 1.2+ (HTTPS). Stored data (leads, orders, pricing) is encrypted at rest with AES-256 by our hosting provider (Netlify), behind authenticated admin tools.
No payment data on-site
Orders are requests, not charges — we don't process card or bank data on the website.
Data handling
- What we process: supply-spend line items, product searches, and contact/order details you submit.
- In-session analysis: for pilot/benchmark workspaces, uploads are processed to produce your report and are not retained in a shared index. Any "improve our benchmarks" option is opt-in and retains only anonymized item/price/vendor data — never tied to your identity.
- Buy-side and honest by design: every figure traces to real data or is labeled an estimate; our tools never fabricate a price or a clinical-safety claim.
Sub-processors
- Netlify — hosting and encrypted data storage.
- OpenAI — AI features (advisor summaries, Product Finder, invoice reading, categorization). Only the text needed for the feature is sent; the advisor receives computed findings, not raw line items. Do not enter PHI.
- HubSpot — CRM for leads and inquiries.
Encryption
Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256) via our hosting provider, Netlify. We store business/procurement data only — no PHI.
Access & administration
Administrative and pricing tools are protected behind authentication and are not publicly accessible. Access is limited to authorized DHI personnel.
Compliance posture & roadmap
- HIPAA: because we do not collect or process PHI, DHI does not act as a HIPAA Business Associate for these tools. If an engagement ever requires PHI, we would scope it and execute a Business Associate Agreement first.
- SOC 2 Type II: on our compliance roadmap; we are building toward a formal attestation and can share our current security documentation on request.
- Domestic operations and SAM.gov-registered prime contractor (UEI V93LC35DCVN5).
Security questions or a vendor review?
We're glad to complete a security questionnaire or walk your team through our controls. Contact steve@digitalhealthinternational.com · (919) 275-2474.