Security & Trust

Business Associate Agreements (BAA)

We maintain valid Business Associate Agreements (BAA) with all our core infrastructure providers. Whenever protected health information (PHI) is processed or stored, these agreements ensure strict adherence to HIPAA standards and define clear responsibilities for data safeguards and breach notifications.

Data Sovereignty (Domestic Residency)

We guarantee that your data remains within your legal jurisdiction to support sovereignty and compliance requirements:

• Canada: Canadian data is stored and processed exclusively within secure data centers located in Canada, fully supporting PIPEDA and provincial privacy laws.
• United States: US data is stored and processed exclusively within secure data centers located in the United States, fully supporting HIPAA and federal regulations.

We strictly enforce data routing rules to prevent PII or billing data from crossing international borders.

Audit Logging & Monitoring

We maintain comprehensive audit trails for all access to and modifications of patient records. Our infrastructure is subject to 24/7 automated threat monitoring to detect and neutralize potential risks immediately. Log retention policies are designed to meet or exceed legal compliance standards.

Disaster Recovery & Automated Backups

To protect against ransomware and data loss, all patient records and platform data are automatically backed up daily. Backups are heavily encrypted and stored redundantly across multiple availability zones to ensure immediate disaster recovery.

Enterprise Infrastructure (SOC 2 & ISO 27001)

Biftoo is built exclusively on top-tier cloud infrastructure (AWS) that maintains rigorous global security certifications, including SOC 2 Type II, ISO 27001, and ISO 27018. Your data inherits these world-class physical and network security baselines.