Security & Compliance
Every system we build is designed from the ground up to protect your practice's regulatory standing and your patients' privacy. HIPAA compliance is not a feature we added — it is the foundation of our architecture.
ReputorSystems executes a Business Associate Agreement with every client practice before any data exchange occurs. Our BAA covers all data processing activities, including SMS campaigns, email marketing, CRM data storage, and analytics reporting. We also maintain BAAs with all technology sub-processors, including GoHighLevel, our SMS gateway providers, and cloud infrastructure partners.
Our marketing automation systems are architected to operate without accessing, processing, or storing Protected Health Information (PHI). Review request campaigns are triggered by appointment completion events — not by diagnosis codes, treatment records, or any clinical data. Patient contact information used in campaigns is encrypted in transit and at rest using AES-256 encryption.
All SMS and email communications deployed through the ReputorSystems platform comply with HIPAA's minimum necessary standard. Our templates are reviewed by healthcare compliance counsel and updated whenever relevant guidance changes. We do not include appointment details, diagnosis information, or any clinical data in marketing communications.
All data stored in the ReputorSystems platform is encrypted at rest using AES-256 and in transit using TLS 1.3. Access to client data is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls and multi-factor authentication. All access is logged and audited.
In the event of a security incident, ReputorSystems follows HIPAA's Breach Notification Rule requirements, including notification to affected covered entities within the required timeframes. We maintain a documented incident response plan that is tested and updated annually.
Data Collection: ReputorSystems collects only the information necessary to provide our services, including practice contact information, marketing performance data, and platform usage analytics. We do not collect, access, or process patient health records or clinical data.
Data Use: Collected data is used exclusively to provide and improve the ReputorSystems platform and services. We do not sell, rent, or share client data with third parties for marketing purposes.
Data Retention: Client data is retained for the duration of the service agreement plus 12 months, after which it is securely deleted in accordance with our data retention policy. Clients may request earlier deletion at any time.
Your Rights: Clients have the right to access, correct, export, or delete their data at any time. To exercise these rights, contact our compliance team at [email protected].
Disclaimer: This page provides a summary of our compliance practices for informational purposes. It does not constitute legal advice. For a complete copy of our BAA, Privacy Policy, or Terms of Service, or to discuss specific compliance requirements for your practice, please contact our compliance team.