Heritage Web and Compliance

At Heritage Web, we prioritize the security, privacy, and regulatory compliance of our platform and services. Each year, we conduct a formal self-assessment of our systems and processes to verify adherence to relevant U.S. laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA), applicable consumer data protection laws, and industry best practices. The following safeguards are in place to protect our users and their data:

Data encryption in transit and at rest: All personal and sensitive data transmitted to and stored within the Heritage Web platform is encrypted using industry-standard protocols. This ensures that protected health information (PHI), personal identifiable information (PII), and other sensitive records are inaccessible to unauthorized parties.

Restricted access to production systems: Access to our production infrastructure is limited to a small, vetted team of authorized personnel with access controls based on role and necessity. All access is logged and reviewed periodically.

Frequent data backups: We perform automated data backups multiple times per day to ensure continuity and rapid restoration in the event of system failure or data corruption.

Strict system access controls: To prevent unauthorized data exposure, we enforce multi-factor authentication, logical segmentation of data access, and strict session policies.

High-availability architecture and disaster recovery: Our systems are deployed with failover capabilities and data replication across multiple zones. Daily backups are retained and tested regularly to ensure business continuity during emergencies.

99.9% uptime commitment: We are committed to maintaining at least 99.9% service uptime across our core platform, ensuring consistent availability for all users. Real-time operational transparency is available upon request.

Heritage Web also provides built-in administrative features that enable customers to manage access and ensure security, including:

Heritage Web follows HIPAA’s Privacy and Security Rule requirements when handling protected health information (PHI) on behalf of healthcare-related users. Although HIPAA does not require certification, we conduct an annual HIPAA compliance self-assessment and implement safeguards as outlined in 45 CFR Parts 160 and 164, Subparts A and E.

We offer Business Associate Agreements (BAAs) to eligible covered entities and partners. If your organization needs to enter into a BAA with Heritage Web, please contact us at [email protected]. Once signed, we will apply enhanced administrative controls and ensure all PHI is processed in accordance with HIPAA.

Important: Heritage Web’s BAA is based strictly on HIPAA regulatory requirements. We do not accept third-party redlined edits or addendums to our standard BAA.

We maintain a documented and tested Breach Notification Policy in accordance with HIPAA and U.S. breach notification laws. In the event of a confirmed security incident, affected users will be notified without unreasonable delay.

All employees undergo security awareness training and receive regular briefings on compliance obligations and data protection best practices.

We encourage responsible disclosure of security vulnerabilities. If you identify a valid vulnerability in our platform or services, please contact our security team at [email protected].

Valid security disclosures may be eligible for public acknowledgment or other forms of recognition. All reports must follow responsible disclosure guidelines and avoid any testing that could disrupt or compromise user data or system integrity.

For more information on Heritage Web’s compliance program or to request a copy of our BAA, security overview, or terms of service, please email [email protected].