HIPAA & Healthcare Compliance
Simsurveys generates synthetic survey data — no Protected Health Information (PHI) is collected, stored, or transmitted at any point. All respondent data is AI-generated and contains no real patient information.
No PHI, by design. Because our respondents are synthetic, HIPAA does not technically apply to our generated datasets. However, we follow HIPAA technical safeguards anyway — including encryption, access controls, and audit logging — because our clients in healthcare expect it, and because it represents the right standard of care for any data platform.
Security Practices
Our security infrastructure is designed to meet the expectations of enterprise clients and regulated industries.
Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.2+. Database-level encryption ensures protection even in the event of physical media compromise.
Access Control
Role-based access control with multi-factor authentication (MFA) for all team members. Client accounts are isolated with strict permission boundaries.
Monitoring & Alerting
Continuous monitoring of infrastructure and application layers with automated alerting for anomalous access patterns, failed authentication attempts, and system health.
Confidentiality
All employees and contractors sign Non-Disclosure Agreements (NDAs). Client data is treated as confidential by default and is never shared across accounts.
Data Isolation
Each client's data is logically isolated. Survey instruments, generated datasets, and reports are accessible only to authorized users within the client's organization.
Data Availability & Integrity
We protect both the availability and integrity of your research data.
Backups
Automated daily backups with point-in-time recovery. Backups are encrypted and stored in geographically separate locations for disaster recovery.
Uptime
Infrastructure designed for high availability with automated failover. Platform uptime is monitored continuously and we target 99.9% availability.
Data Validation
Integrity checks run at every stage of the data pipeline. Generated datasets are verified for completeness and consistency before delivery to clients.
Audit & Accountability
Comprehensive logging ensures a clear record of system activity.
Login Tracking
Every authentication event is logged, including successful logins, failed attempts, MFA challenges, and session management. Logs are retained for audit and compliance review.
Change Activity
All significant actions within the platform — study creation, data generation, exports, and account changes — are recorded with timestamps and user attribution.
Privacy & Retention
We take a straightforward approach to data privacy and retention.
- Privacy Policy: Our privacy policy is publicly available and clearly outlines what data we collect, how we use it, and your rights as a client. We do not sell or share client data with third parties.
- Data Retention: Client data is retained indefinitely for your convenience, so you can access past studies and datasets at any time. You maintain full ownership of all generated data.
- Deletion on Request: You can request complete deletion of your account and all associated data at any time. Deletion requests are processed promptly and include removal from all backups within 30 days.
Industry Alignment
We are building toward formal compliance certifications as the company scales.
SOC 2 and ISO 27001 roadmap: Simsurveys is actively working toward SOC 2 Type II and ISO 27001 certification. Our current security practices are designed to align with these frameworks, and we expect to begin formal audit processes as we expand our enterprise client base. Contact us for details on our current compliance posture and timeline.