SurfacerIQ operates as a HIPAA-compliant contact center intelligence platform for healthcare organizations, home care agencies, hospices, DME suppliers, and other entities that handle Protected Health Information (PHI). Our security posture, administrative safeguards, and technical controls are designed to meet the HIPAA Security Rule and Privacy Rule requirements applicable to business associates.
Business Associate Agreements
SurfacerIQ signs a Business Associate Agreement (BAA) with every customer that may transmit, store, or process PHI through the platform. The BAA governs permitted uses and disclosures of PHI, breach notification obligations, subcontractor flow-down requirements, and the return or destruction of PHI upon termination. To request our standard BAA or negotiate a customer paper BAA, contact security@surfaceriq.com.
Administrative safeguards
Access to production systems is restricted to authorized personnel who have completed HIPAA privacy and security training. We maintain documented policies for workforce onboarding and offboarding, role-based access review, incident response, and business continuity. All personnel with access to PHI operate under signed confidentiality obligations and are subject to background checks where permitted by applicable law.
Technical safeguards
PHI is encrypted in transit using TLS 1.2 or higher and at rest using AES-256. Authentication requires strong passwords and supports single sign-on (SSO) and multi-factor authentication (MFA). We enforce least-privilege access, audit logging of PHI access events, and continuous monitoring for anomalous activity. Call recordings, transcripts, and derived analytics containing PHI are stored in isolated tenant-scoped storage with row-level authorization.
Physical and network safeguards
SurfacerIQ is hosted on SOC 2-audited cloud infrastructure in the United States. Physical access to data center facilities is managed by the underlying cloud provider under their SOC 2, ISO 27001, and HIPAA attestation programs. Network traffic is segmented, protected by web application firewalls, and monitored for intrusion.
Subprocessors
We limit the subprocessors that may process PHI on our behalf, execute BAAs with each of them, and maintain a current subprocessor list available on request. Customers are notified in advance of material changes to our subprocessor roster.
Breach notification
In the unlikely event of a confirmed breach of unsecured PHI, SurfacerIQ will notify affected customers without unreasonable delay and no later than the timeframe required by the BAA and applicable law, and will cooperate with customers on their obligations under the HIPAA Breach Notification Rule.
Requesting documentation
For our current BAA template, security whitepaper, subprocessor list, penetration test summary, or SOC 2 report, contact security@surfaceriq.com. We respond to compliance and security documentation requests within two business days.