Trust Center

Last updated: March 2026

GuardWell Compliance is built to handle sensitive healthcare data responsibly. This page describes our security controls, compliance posture, subprocessor list, and security practices.

Security Controls

Infrastructure

Google Cloud Platform (Cloud Run, Cloud SQL, Cloud Storage) with US-only data residency. All infrastructure hosted in SOC 2 Type II certified data centers within the United States.

Encryption

TLS 1.2+ for all data in transit. AES-256 encryption at rest using Google-managed encryption keys. No unencrypted PHI is stored or transmitted.

Authentication

Firebase Authentication with multi-factor authentication (MFA) support for all user accounts. Session management with automatic timeout after periods of inactivity.

Access Control

Role-based access control with four tiers: Owner, Admin, Staff, and Viewer. The principle of least privilege is applied across all roles and data access paths.

Audit Logging

All data access and modifications are logged with user identity, timestamp, action taken, IP address, and data accessed. Audit logs are retained for a minimum of six years.

Backup & Recovery

Automated daily database backups with point-in-time recovery. Recovery time and recovery point objectives are documented and tested at least annually.

Monitoring

Real-time error tracking, uptime monitoring, and automated alerts. Infrastructure health is continuously monitored with defined escalation procedures.

Compliance Posture

HIPAA

Platform designed for HIPAA compliance. A Business Associate Agreement (BAA) is available for all customers.

Data Processing

A Data Processing Agreement (DPA) is available covering our data handling practices, sub-processors, and your rights as a data controller.

Customer compliance data is not used for AI model training without explicit opt-in consent. AI features use practice context only; no raw PHI is sent to third-party AI providers unless explicitly initiated by the user.

Data Portability

Full CSV and JSON export is available for all customer data. Data is deleted after account cancellation upon request.

Subprocessor List

We notify customers at least 30 days before adding or replacing a subprocessor that handles personal data or ePHI.

Subprocessor	Purpose	Data Processed	Location
Google Cloud Platform	Infrastructure, compute, storage, database	All platform data including ePHI	United States
Firebase (Google)	Authentication, user identity	Email, auth tokens	United States
Stripe	Payment processing	Payment method, billing info (no PHI)	United States
Anthropic (Claude)	AI features (Concierge, content generation)	Prompts containing practice context (no raw PHI sent)	United States
Resend	Transactional email delivery	Email addresses, notification content	United States

Security Practices

Regular security assessments and vulnerability reviews
Dependency scanning and patch management
Secure development lifecycle
Incident response plan with defined notification timelines

Contact

Security inquiries:security@gwcomp.com

Privacy inquiries:privacy@gwcomp.com

BAA / DPA requests:support@gwcomp.com