Compliance - Incident Tracker

HIPAA

Incident Tracker is HIPAA compliant. We follow HIPAA Security Rule requirements for organizations that handle protected health information. A Business Associate Agreement (BAA) is available upon request and is standard for healthcare and behavioral health customers. (HIPAA compliance for SaaS vendors is self-attested — no formal government certification program exists.)

• BAA available for covered entities and business associates
• Access controls and audit trails that meet HIPAA Security Rule requirements
• Field-level redactions to restrict visibility of sensitive information
• Shared responsibility model documented and available on request

NIST Cybersecurity Framework

Our security program is structured around the five core functions of the NIST Cybersecurity Framework — a standard commonly required by government and public sector customers.

• Identify — Asset inventory and risk assessment processes maintained
• Protect — Encryption, access controls, SSO, and role-based permissions
• Detect — Logging, monitoring, and alerting on security events
• Respond — Documented incident response procedures in place
• Recover — Automated backups, redundancy, and business continuity planning

A security responsibilities matrix is available upon request.

Data Ownership & Portability

Your organization owns its data at all times. There is no vendor lock-in — you are never dependent on us to access your records.

• Full data export available at any time via CSV or API
• No use of customer data for any purpose other than delivering the service
• Data deletion and destruction verification available upon request at end of contract

Requesting Documentation

If your organization requires a BAA, security questionnaire, or compliance documentation as part of a vendor review, contact our team and we’ll respond promptly.