Trust Center — Privacy, Security & Compliance

1. Definitions (HIPAA)

• Covered Entity has the meaning set forth in 45 CFR §160.103.
• Business Associate means EPI SOFTWARE SOLUTIONS as defined in 45 CFR §160.103.
• Protected Health Information (PHI) has the meaning set forth in 45 CFR §160.103.
• Security Incident has the meaning set forth in 45 CFR §164.304.
• Breach has the meaning set forth in 45 CFR §164.402.

2. Permitted Uses and Disclosures

• Provision of SaaS services under the master services agreement
• System administration, maintenance, and security operations
• Compliance with applicable law and regulatory obligations

PHI is never used for advertising, marketing, profiling, or unrelated analytics.

3. Safeguards

• Administrative, technical, and physical safeguards per 45 CFR §164
• Encryption of PHI at rest and in transit
• Role-based access controls and least-privilege enforcement
• Comprehensive audit logging and monitoring

4. Breach Notification

EPI SOFTWARE SOLUTIONS shall notify the Covered Entity without unreasonable delay and no later than 60 days following discovery of a Breach.

5. Subcontractors

All subcontractors with access to PHI are subject to written agreements imposing HIPAA-equivalent obligations.

6. Termination

Upon termination, PHI shall be returned or securely destroyed. If destruction is infeasible, protections shall survive indefinitely.

This Agreement may be executed electronically. Signed HIPAA Business Associate Agreements are available upon request.

1. Definitions (GDPR)

• Personal Data has the meaning set forth in Article 4(1) GDPR.
• Processing has the meaning set forth in Article 4(2) GDPR.
• Controller has the meaning set forth in Article 4(7) GDPR.
• Processor has the meaning set forth in Article 4(8) GDPR.
• Special Categories of Data has the meaning set forth in Article 9 GDPR.

2. Roles

• Controller: Healthcare Provider
• Processor: EPI SOFTWARE SOLUTIONS

3. Subject Matter & Purpose

Processing of healthcare, administrative, and operational data to provide clinic management SaaS services.

4. Processor Obligations

• Process data only on documented instructions (Article 28)
• Maintain confidentiality commitments
• Implement appropriate technical and organizational measures (Article 32)
• Assist with data subject rights requests
• Notify personal data breaches within 72 hours

5. International Transfers

Cross-border transfers are safeguarded using Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreements (IDTA), where applicable.

Signed GDPR Data Processing Agreements are available upon request.

• 24/7 security monitoring and alerting
• Incident classification and escalation procedures
• Customer notification workflows
• Post-incident investigation and remediation

• Target uptime: 99.9%
• Redundant cloud infrastructure
• Daily encrypted backups
• Disaster recovery and business continuity testing

Formal Service Level Agreements are provided contractually.

All sub-processors are vetted and contractually bound to equivalent data protection, confidentiality, and security obligations.

Category	Purpose	Region
Cloud Infrastructure	Hosting and data storage	EU / US
Email Delivery	Transactional communications	Global
Monitoring & Logging	Security and reliability	EU / US

Framework	Coverage
HIPAA	Privacy Rule, Security Rule, Breach Notification Rule
GDPR	Articles 5, 6, 9, 28, 32, 33
SOC 2	Security, Availability, Confidentiality
ISO 27001	Risk, Access Control, Incident Management, Continuity

• Version: 1.0
• Effective Date: January 1, 2026
• Review Cycle: Annual

Material changes are communicated contractually or through the platform.

EPI SOFTWARE SOLUTIONS provides jurisdiction-specific data protection and compliance annexes to support local regulatory requirements and supervisory authority expectations. These annexes form part of the contractual data protection framework.

• European Union (EU): Country-specific GDPR annexes (e.g., Germany, France, Netherlands), including local supervisory authority references and health data nuances.
• United Kingdom (UK): UK GDPR annex, incorporating the Data Protection Act 2018 and UK International Data Transfer Agreement (IDTA).
• United States (US): HIPAA-focused annexes aligned with federal requirements and applicable state-level healthcare privacy laws.
• Other Jurisdictions: Annexes for Canada (PIPEDA), Australia (Privacy Act), and other regions are available upon request.

Annexes are provided during procurement, contract negotiation, or regulatory review processes.

EPI SOFTWARE SOLUTIONS maintains a formal control mapping that links internal security, privacy, and operational controls directly to regulatory and assurance frameworks. This mapping supports audits, customer due diligence, and regulatory inspections.

Framework	Mapped Controls	Purpose
HIPAA	Administrative, Technical, Physical Safeguards	Healthcare privacy and security compliance
GDPR / UK GDPR	Articles 5, 6, 9, 28, 30, 32, 33	Lawful processing and data protection
SOC 2	CC Series Controls	Security, availability, confidentiality assurance
ISO/IEC 27001	Annex A Controls	Information Security Management System (ISMS)

Control-to-regulation mapping documentation is available under NDA.

EPI SOFTWARE SOLUTIONS undergoes independent third-party audits to validate the effectiveness of its security and availability controls.

• SOC 2 Type I: Design of controls at a point in time
• SOC 2 Type II: Operating effectiveness over a review period

SOC 2 reports include coverage of:

• Security
• Availability
• Confidentiality

Reports and supporting audit evidence are made available to customers and prospects under a non-disclosure agreement (NDA).

EPI SOFTWARE SOLUTIONS maintains a centralized Trust Center portal for customers, partners, and regulators to access compliance documentation.

The Trust Center includes:

• Privacy Policy, HIPAA BAA, and GDPR DPA
• Sub-processor lists and updates
• SOC 2 reports and certifications
• Security whitepapers and architecture overviews
• Incident response summaries and notifications

Access to restricted materials is governed by role-based permissions and contractual requirements.

EPI SOFTWARE SOLUTIONS supports customer procurement, legal, compliance, and information security teams throughout vendor risk assessment processes.

• Security questionnaires (SIG, CAIQ, custom)
• Data protection impact assessments (DPIAs)
• Vendor risk and compliance reviews
• Regulatory inquiry and audit support

Dedicated compliance and security contacts are available to support enterprise and regulated customers.

EPI SOFTWARE SOLUTIONS implements an automated change log system for all compliance-related documents, configurations, and platform updates.

• Tracks changes to Privacy Policy, BAA, DPA, and security policies
• Maintains timestamped version history accessible to authorized personnel
• Supports audit requests and regulatory reviews
• Enables proactive notifications to customers and stakeholders

This system ensures transparency and traceability for all compliance artifacts.

EPI SOFTWARE SOLUTIONS provides real-time notifications to customers regarding changes to sub-processors or new engagements that may involve personal data or PHI.

• Immediate notification for new sub-processors with relevant scope
• Updates to existing sub-processor contracts, security posture, or certifications
• Centralized reporting via Trust Center portal
• Ability to review and object to sub-processors within contractual notice period

This process ensures customers maintain continuous oversight over their data.

Customers and authorized partners can download signed and timestamped copies of key compliance documents directly from the Trust Center.

• Privacy Policy (PDF + digital signature)
• HIPAA Business Associate Agreement (BAA)
• GDPR Data Processing Agreement (DPA)
• SOC 2 and ISO/IEC 27001 certificates
• Sub-processor agreements and attestation letters

All downloads are cryptographically verified and tamper-evident, ensuring regulatory defensibility.

EPI SOFTWARE SOLUTIONS operates a dual-layer Trust Center to optimize transparency and security:

• Public Trust Center: High-level compliance overview, SOC 2 summary, standard privacy policies, and certifications
• Private Trust Center: Customer-specific artifacts, signed agreements, audit reports, sub-processor details, and detailed operational evidence

Access is controlled via identity management and role-based permissions, ensuring that sensitive compliance information is only available to authorized users.

EPI SOFTWARE SOLUTIONS maintains a system that monitors regulatory changes impacting HIPAA, GDPR, UK GDPR, ISO 27001, SOC 2, and other applicable frameworks.

• Tracks regulatory guidance, laws, and standards changes in real-time
• Automatically flags impacted policies, controls, and customer obligations
• Generates update recommendations for internal teams and customers
• Ensures continuous compliance with minimal manual intervention

This automated approach enhances agility, reduces risk, and supports enterprise-level regulatory governance.