Ours Privacy is hosted entirely on Amazon Web Services (AWS) in the United States. All customer data is stored and processed within US-based regions. Our infrastructure is multi-region, with data stores and processing pipelines distributed across availability zones for resilience.

All data is encrypted at rest using AES-256 and in transit via TLS. Our web application, where users read and query PHI, enforces TLS 1.3 exclusively. Our ingest endpoints accept a TLS 1.2 to 1.3 range to maintain compatibility with diverse client environments. HSTS is enforced across all endpoints. Our infrastructure leverages AWS's security controls including network isolation, automated patching, and redundancy.

We do not operate on-premise infrastructure. Our cloud-native architecture enables rapid security patching and continuous monitoring across all environments.

Customer data is processed exclusively in the United States. We maintain encrypted backups on a rolling retention schedule.

When a customer requests data deletion, we remove their data from production systems and active datastores. Deletion requests can be submitted to our team at any time. And, customers can configure custom data retention policies for their data. Backups containing deleted data expire naturally on the retention schedule and are not used to restore deleted records.

Every client receives a signed Business Associate Agreement (BAA) as part of onboarding, covering all products and features on the platform. We maintain signed BAAs with every vendor that handles protected health information (PHI). A Data Processing Agreement (DPA) is also available upon request.

Our full list of subprocessors is available for review.

All employees authenticate through Okta SSO with mandatory two-factor authentication (2FA). Access to production systems follows the principle of least privilege and is reviewed on a regular basis.

Background checks are performed on all employees prior to onboarding. Security awareness training is mandatory and conducted on an ongoing basis. All employees acknowledge and adhere to our security and acceptable use policies.

Access to customer data is limited and logged.

Ours Privacy is SOC 2 Type II certified, audited annually by Ascend Audit & Advisory, Inc. Our audit covers all five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. This means our controls are evaluated not just for preventing unauthorized access, but also for system uptime, accurate data processing, restricted disclosure of sensitive information, and the responsible handling of personal data.

We conduct continuous automated vulnerability scanning and engage independent third parties for annual penetration testing.

You can request our SOC 2 report and penetration test summary.

Our platform is built server-side first. All data flows through our server infrastructure by default, and our servers send it to the configured end destinations. This means customer data is processed, filtered, and governed before it ever leaves our environment.

We use runtime threat detection and continuous vulnerability assessments across our infrastructure. At the code level, static analysis runs on every pull request and dependencies are monitored for known vulnerabilities. No code ships without passing security checks.

Ours Privacy has a clear policy on artificial intelligence usage within our organization. Customer data is not used to train AI or machine learning models.

Our Statement on Artificial Intelligence Usage covers how AI tools are (and are not) utilized across our platform and operations. It addresses our data privacy commitments and our approach to responsible AI governance.

Any use of third-party AI services is disclosed in our subprocessors list and bound by the same data protection agreements that govern all of our vendor relationships.

We take reports of security vulnerabilities seriously. If you believe you have discovered a vulnerability in our systems, please report it responsibly to ciso@oursprivacy.com.

We will acknowledge receipt within 1 business day and work with you to understand and address the issue. We ask that you give us a reasonable amount of time to respond before making any information public.