Your Data Security
Is Our Foundation.
Healthcare organizations trust Social Cascade with their patient communications. We take that responsibility seriously with enterprise-grade security, transparent practices, and a privacy-first architecture.
HIPAA Alignment
Privacy by Design: No PHI
Social Cascade is architected with a “no PHI by design” posture. Our platform delivers general public health education content to social media channels. It never collects, stores, or transmits individually identifiable health information.
This approach means healthcare organizations can use Social Cascade for patient education without triggering HIPAA covered-entity obligations for the content workflow itself. For organizations that require additional assurance, we offer Business Associate Agreements.
The Platform does not collect, store, or transmit protected health information (PHI)
All content is general public health education, never tied to individual patient records
Our Terms of Service and Platform Services Agreement explicitly prohibit PHI submission
Users are prompted with clear guidance to avoid sharing personal health details
If PHI is inadvertently submitted, our team follows a documented removal protocol
Security Practices
How We Protect Your Data
Encryption in Transit & at Rest
All data is encrypted using TLS 1.2+ in transit and AES-256 at rest. Database connections require SSL certificates.
Access Controls
Role-based access controls, unique credentials per user, and principle of least privilege across all infrastructure.
Audit Logging
Data access audit logs are enabled across Cloud SQL, Cloud Storage, and Cloud Run for full traceability.
Infrastructure Isolation
Hosted on Google Cloud Platform with private networking, no public-access storage buckets, and workload identity federation.
Secure Development
Code reviews, automated testing, dependency scanning, and security headers (HSTS, X-Frame-Options, CSP) on every deployment.
Incident Response
Documented incident response procedures with defined escalation paths and notification timelines.
Infrastructure & Compliance
Subprocessor Inventory
We believe in full transparency about the services that support our platform. All subprocessors are contractually bound to appropriate data protection standards, and we maintain verified BAA/DPA status for each.
Provider
Purpose
BAA
DPA
PHI
Google Cloud Platform
Infrastructure, compute, database, storage
Google Vertex AI
AI content generation
Vercel
Website hosting and edge delivery
—
—
Stripe
Payment processing (PCI DSS compliant)
—
—
Neon
Website CMS database
—
—
GitHub
Source control and CI/CD (Enterprise)
Slack
Internal team communications (Enterprise Grid)
Help Scout
Customer support ticketing
✕
Verified
—
Not applicable
✕
Not permitted
PHI is never stored or transmitted through our platform by design. Status reflects subprocessor capability, not our usage.
Business Associate Agreements
Need a BAA?
While our “no PHI by design” architecture means a BAA is not strictly required for typical use of Social Cascade, we understand that many healthcare organizations prefer the additional assurance of a signed Business Associate Agreement.
We offer BAAs at no additional cost to qualifying customers. Contact our team to discuss your compliance requirements and we’ll work with you to put the right agreements in place.
Request a BAAQuestions?
Security & Compliance Inquiries
Our team is available to answer questions about our security practices, provide additional documentation, or discuss your organization’s specific compliance requirements.