Compliance Documentation

Last Updated: October 5, 2025

Document Version: 2.0.3

Overview

Almond Connect maintains strict compliance with healthcare and payment card industry regulations. This document outlines our compliance certifications, audit capabilities, and regulatory safeguards.

HIPAA Compliance Features

Audit Logging

Comprehensive audit trail tracking:

  • User authentication events
  • Patient record access and modifications
  • Financial transactions
  • Data export and deletion events
  • Security-relevant activities

Patient Privacy

  • De-identified References: Patient data protection through secure coding practices
  • Secure Patient Portals: Protected access to bills and documents
  • Communication Preferences: Patients control their communication settings
  • Data Retention Policies: Compliant data retention and deletion practices

Business Associate Agreement (BAA)

  • Providers must sign BAA before accessing patient data
  • BAA status tracked and enforced
  • Digital signature capture with timestamp recording

Compliance Certifications

Current Compliance

  • HIPAA Compliant: Technical and administrative safeguards in place
  • SOC 2 Type II (via Stripe): For payment processing infrastructure
  • PCI DSS Level 1 (via Stripe): For payment card processing
  • GDPR Ready: Data protection and privacy controls

Payment Security

Third-Party Payment Processing

Almond Connect uses Stripe, a PCI DSS Level 1 certified payment processor, for all payment processing. This provides:

  • PCI DSS Level 1 Compliance: Highest level of payment card security certification
  • Tokenization: Credit card data never touches our servers
  • Strong Customer Authentication: Enhanced security for payment verification
  • Fraud Prevention: Advanced fraud detection and prevention
  • Encryption: Industry-standard encryption for all payment data

Financial Data Protection

  • No PCI Scope: We never handle or store raw card data
  • Secure Integration: Payment processing through certified third-party provider
  • Audit Trails: Complete tracking of all financial transactions

Data Protection & Privacy

Protected Health Information (PHI) Encryption

All Protected Health Information (PHI) is encrypted at rest:

  • Patient demographic information
  • Contact information
  • Medical records and clinical data
  • Appointment and treatment notes
  • Medication information

Database Security

  • Encrypted Connections: Secure database connections
  • Backup Encryption: Automated encrypted backups
  • Environment Isolation: Separate databases for development, staging, and production

Email Compliance

Email Service Implementation

  • Authenticated Sending: Industry-standard email authentication
  • Template Security: All email templates validated and sanitized
  • Unsubscribe Compliance: CAN-SPAM compliant unsubscribe handling
  • Abuse Prevention: Rate limiting and monitoring

Incident Response

Monitoring & Alerts

  • Continuous Monitoring: Real-time monitoring and alerting
  • Anomaly Detection: Automated detection of unusual activity patterns
  • Audit Log Review: Regular review of security logs and activities

Response Procedures

  • Incident Protocol: Documented procedures for security incident response
  • User Notification: Procedures for notifying affected users per regulatory requirements

Compliance Contact

For compliance questions or concerns, please contact:

  • Email: hello@almondconnect.com
  • Response Time: Compliance inquiries addressed within 24 hours