Home /Data Protection & Security

Data Protection & Security Policy

We are committed to safeguarding your data with industry-standard controls, privacy-by-design, and transparent practices across our platform.

IntroductionScopeData We CollectHow We Use DataLegal BasisSharing & ProcessorsInternational TransfersSecurity MeasuresRetention & DeletionYour RightsCookiesIncident ResponseContactUpdates to this Policy

Introduction

This Data Protection & Security Policy explains how we collect, use, store, and protect personal data when delivering our services. We follow the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

Scope

This policy applies to all client data we process across our products, APIs, and support services, including data handled by authorized subprocessors on our behalf.

Data We Collect

  • Account data (name, email, organization details)
  • Operational data (usage logs, device/browser metadata)
  • Support data (tickets, emails, chat transcripts)
  • Clinical/EHR-related data as configured by our customers

How We Use Data

  • To provide and improve our services and features
  • To secure the platform, prevent abuse, and ensure reliability
  • To offer support and respond to inquiries
  • To meet legal, regulatory, and compliance obligations

Data Sharing & Subprocessors

We do not sell personal data. We may engage vetted subprocessors to deliver specific functionality. These processors are bound by data processing agreements and security obligations equivalent to ours.

Representative Subprocessor Categories
  • Cloud infrastructure and storage
  • Email delivery and notifications
  • Analytics and observability
  • Customer support tooling

International Transfers

Where data is transferred across borders, we implement appropriate safeguards such as standard contractual clauses and regional hosting options where applicable.

Security Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES‑256)
  • Secret management, key rotation, and environment isolation
  • Role-Based Access Control and least-privilege permissions
  • MFA/SSO for administrative access; account session controls
  • Comprehensive audit logging and immutable log retention
  • Network security (firewalls, VPCs, WAF, rate limiting)
  • Backups with tested restore; defined RPO/RTO objectives
  • Vulnerability scanning, dependency monitoring, and periodic penetration testing
  • Secure SDLC, code reviews, and change management
  • Tenant data segregation and data minimization practices

Data Retention & Deletion

We retain data only for as long as necessary to fulfill the purposes described in this policy or as required by law. Upon request or contract termination, we delete or anonymize data following defined procedures and timelines.

Your Rights

Depending on your jurisdiction, you may have rights to access, rectify, erase, restrict, object, port your data, or withdraw consent. We respond to verified requests within statutory timeframes.

Cookies & Similar Technologies

We use essential cookies for authentication and security, and optional analytics cookies to improve the service. You can manage preferences through your browser or in-product settings where available.

Incident Response

We maintain an incident response plan including detection, containment, eradication, recovery, and post‑incident review. Where legally required, we notify affected customers and regulators within applicable timelines.

Contact

For data protection requests or questions, contact our team at privacy@tiba.health.

Updates to this Policy

We may update this policy to reflect changes in practices or legal requirements. Material changes will be communicated through the product or email. Last updated: 9/27/2025.

© 2025 Tiba. All rights reserved.

About UsContactData Policy