HIPAA & SOC 2

Last updated: [LEGAL VERIFY date]

gojitech builds AI healthcare infrastructure for reimbursed medicine. The following statements describe our compliance posture for healthcare-data obligations relevant to our US-facing and Canadian-facing customers. All statements marked [LEGAL VERIFY] are pending confirmation by legal counsel prior to publication.

HIPAA Readiness (US Operations)

Where gojitech operates as a business associate under the Health Insurance Portability and Accountability Act (HIPAA) for US-facing operations, we implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule.

Business Associate Agreements (BAAs) are available for covered entities and their business associates. To request a BAA or discuss HIPAA compliance requirements for your organization, contact us at compliance@gojitechsystems.com.

Scope

HIPAA obligations apply to gojitech product platforms (ClaimRx, GuideRx, AutoFlow) where those platforms process protected health information (PHI) on behalf of a covered entity. This marketing website does not collect or process PHI.

SOC 2 Type II

gojitech is pursuing SOC 2 Type II attestation covering the Security and Availability Trust Services Criteria. Attestation scope and coverage period are pending confirmation. This statement will be updated upon receipt of the attestation report.

Prospective and current customers may request a copy of our SOC 2 report or a bridge letter by contacting compliance@gojitechsystems.com. Reports are shared under a mutual non-disclosure agreement.

Technical Safeguards

gojitech product platforms implement the following technical controls across all environments:

Encryption in transit — all data in transit is encrypted using TLS 1.2 or higher
Encryption at rest — all stored data is encrypted at rest using industry-standard algorithms
Access controls — role-based access controls (RBAC) with principle of least privilege; multi-factor authentication required for administrative access
Audit logging — access and activity logs are retained and reviewed for anomalous behaviour
Vulnerability management — regular security assessments and penetration testing conducted by qualified third parties

Data Residency

By default, gojitech stores and processes customer data on Canadian-hosted infrastructure. Customers with specific data residency requirements should contact us to discuss available configurations.

Breach Notification

In the event of a confirmed data breach involving personal information or PHI, gojitech will notify affected customers and, where required, applicable regulatory authorities within the timeframes mandated by applicable law. Notification procedures are documented in our Incident Response Plan and reviewed annually.

Canadian Privacy Framework

gojitech's primary privacy framework is Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). We also observe Quebec's Law 25 (Act respecting the protection of personal information in the private sector) for Quebec residents and applicable provincial legislation in Alberta and British Columbia.

Compliance Inquiries

For compliance-related questions, including BAA requests, SOC 2 report access, or security questionnaires:

gojitech
235 Yorkland Blvd, Suite 301, North York, ON M2J 4Y8
compliance@gojitechsystems.com
(416) 662-3189