Security & Compliance

Securing and protecting our customers’ and patients’ data is a top priority at Collette Health.  We have built a comprehensive Information Security program to ensure we can protect your data and privacy in every facet of our business.

SOC 2 Type II

Collette Health undergoes an annual SOC 2 Type II audit to ensure the security and availability of our organization and application infrastructure.  You can request access to the report at our Trust Center.

HIPAA Compliance

Collette Health was designed from the start to comply with the HIPAA Security and Privacy Rules.  We utilize a third-party auditor to assess our HIPAA compliance and ensure we are following the high standards that we set for data security.  You can read more about how we achieve HIPAA compliance by downloading our Compliance Datasheet.

Data Sovereignty

All Collette Health data is stored in datacenters within the continental United States. While we do rely on offshore staff and contractors for certain roles in our organization, only our U.S. support and development teams have access to production data.

Data Security

TLS 1.2 is enforced throughout all our services, and all data is encrypted in transit and at rest with AES-256.  We perform additional field level encryption in our databases and ensure that all user credentials stored in the Collette Health application are encrypted with multiple rounds of a one-way password hashing function.

Data is kept logically separate in various layers throughout the Collette Health cloud infrastructure, and databases are continuously replicated to multiple geographic regions.  Database snapshots are taken at least daily and can be used to restore data if a critical disruption occurs.  Role based access is enforced both within the Collette Health application and within our organization to ensure that confidential data can only be accessed by those individuals who should have access to it.

Cloud Infrastructure Security

The Collette Health application is hosted primarily in Google Cloud, and we leverage their secure-by-design infrastructure to offer our customers a cloud native application built on the same secure and highly available global network that Google uses.  Google Cloud is ISO/IEC 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, and FedRAMP compliant.

Additional third-party sub processors and services that support our internal infrastructure rely on AWS or Microsoft Azure.  We hold all our sub processors, SaaS partners, and third-party contractors to the same high standard and conduct regular security reviews.  You can view a full list of our sub processors by visiting our Trust Center.

Vulnerability Management

Our Information Security team utilizes a variety of tools to proactively scan for and remediate vulnerabilities.  Additionally, we partner with outside security firms to perform annual network penetration tests, web application penetration tests, and other security services.

Security Training

All Collette Health employees, regardless of role, undergo regular security awareness training, and annual HIPAA training.

We’re Here to Help

If you have any questions, comments, concerns, or if you wish to report a potential security issue or vulnerability, please contact