Trust & Security
Documentation for hospital legal, IT security, and procurement teams reviewing StrokePages. Use this page as the substantiation for the "HIPAA-Aligned" claims you'll see across the site.
HIPAA Posture
- StrokePages enters into Business Associate Agreements (BAAs) with covered entities and downstream subcontractors as required by 45 CFR 164.504(e).
- The public marketing site does not collect, store, or transmit Protected Health Information.
- Inside the activation product, PHI is processed only to deliver the contracted notification workflow and is not used for marketing, sale, or model training.
- StrokePages is not currently registered as an FDA medical device. The platform is a clinical communication tool, not a diagnostic, monitoring, or treatment device.
Encryption
- In transit: TLS 1.2 or higher for all browser, API, SMS, and email traffic.
- At rest: AES-256 for the application database and stored attachments, managed by the underlying cloud provider.
- Secrets and credentials are stored in a managed secret store, never in source control.
Access Controls
- Role-based access control separates clinical users, hospital admins, and StrokePages support staff.
- Least-privilege model: support staff cannot view PHI without an explicit, logged break-glass action.
- Multi-factor authentication is available for admin accounts and recommended for all clinical users.
- Session timeouts and credential rotation align with common hospital IT requirements.
Audit Logging
- Every stroke code activation, notification send, and acknowledgment is logged with timestamp, actor, and recipient.
- Admin actions in the dashboard (contact changes, campus changes, deletions) are logged for retention.
- Logs are retained for the period defined in the customer's BAA and are made available on request for hospital audits and Joint Commission preparation.
PHI Handling Scope
StrokePages is designed so that PHI never leaves the hospital's control unnecessarily. Notification messages contain the minimum information required to mobilize the stroke team (e.g., campus, initiator type, ETA, neurological score). Patient names, MRNs, and detailed clinical history are not required by the platform and are not collected on the public site.
Incident Response
Suspected security incidents involving customer data are triaged within one business day. StrokePages will notify affected covered entities in line with the timelines and contents required by the executed BAA and applicable breach notification rules.
Report a suspected incident: security@strokepages.com
Procurement Documentation
The following documents are available to hospital legal, IT security, and procurement teams under NDA:
- Business Associate Agreement (BAA) template
- Security questionnaire responses (HECVAT-Lite mapping available on request)
- Subprocessor list (Twilio for SMS; managed email provider for transactional email; managed PostgreSQL hosting)
- Privacy policy and SMS messaging policy
Request Compliance Documentation
This page describes StrokePages' security and compliance posture as of the date of last review. It is informational and does not, by itself, constitute a Business Associate Agreement, a binding security commitment, or a representation that StrokePages has obtained any specific third-party certification. For contractual commitments, request the signed BAA and security addendum from your StrokePages representative.