Healthcare Compliance
Routiq is designed with healthcare compliance in mind. We implement industry-standard security controls to protect patient data.HIPAA Alignment
While Routiq is not currently HIPAA certified, we implement HIPAA-aligned security controls:- Data Encryption: AES-256 encryption at rest, TLS 1.3 in transit
- Access Controls: Role-based permissions and row-level security
- Audit Logs: Complete tracking of all data access (retained for 7 years)
- Secure Infrastructure: SOC 2 Type II certified cloud providers
GDPR Compliance
For practices in the EU or treating EU patients, Routiq supports GDPR requirements: Patient Rights- Right to access (data export available)
- Right to erasure (account deletion)
- Right to data portability
- Right to rectification
- Privacy by design
- Data minimization (we only collect what’s needed)
- Encryption and secure storage
- Breach notification within 72 hours
Regional Standards
Australia- Privacy Act 1988
- Australian Privacy Principles (APPs)
- Spam Act 2003 compliance
- HIPAA-aligned controls
- State privacy laws (CCPA, etc.)
Data Privacy
What We Collect
Required for patient reactivation:- Patient name and contact information
- Appointment history
- Treatment types
- Medical diagnoses
- Test results
- Clinical notes
- Payment information
How We Use Your Data
- Patient reactivation campaigns - The core purpose
- Service improvements - Analytics to improve Routiq
- Compliance - Required record keeping
How We Protect Your Data
Encryption- All data encrypted at rest (AES-256)
- All data encrypted in transit (TLS 1.3)
- API keys encrypted before storage
- Multi-factor authentication (2FA) available
- Role-based access control (Owner, Admin, Member)
- Row-level security (you only see your practice data)
- Hosted on AWS (SOC 2 Type II certified)
- Daily automated backups
- 24/7 security monitoring
Data Retention
| Data Type | Retention Period |
|---|---|
| Patient data | While account is active |
| Message history | 24 months |
| Audit logs | 7 years (compliance) |
| Deleted accounts | 30 days (recovery period) |
Data Sharing
We NEVER:- Sell your patient data
- Share data with advertisers
- Use data for non-service purposes
- Services you connect (Cliniko, Chatwoot)
- Service providers bound by data processing agreements
- Law enforcement (when legally required)
Security Best Practices
For Practice Owners
1
Enable Two-Factor Authentication
Turn on 2FA for all admin accounts in Settings → Security
2
Use Strong Passwords
Use unique passwords (12+ characters) or a password manager
3
Review Team Access
Regularly audit team member roles and remove inactive users
4
Secure API Keys
Store Cliniko/Chatwoot credentials securely, never share them
For Team Members
- Lock your device when stepping away
- Don’t share login credentials
- Report suspicious activity to your practice owner
- Only access Routiq from approved devices
Audit Logs
All security-relevant events are logged and available for review:- User logins and failed attempts
- Patient record access
- Campaign actions
- Settings changes
- Integration updates
Third-Party Services
Routiq uses trusted, certified service providers:| Service | Purpose | Certification |
|---|---|---|
| Vercel | Application hosting | SOC 2, ISO 27001 |
| Supabase | Database and authentication | SOC 2 Type II |
| Cliniko | Patient data source | ISO 27001 |
| Chatwoot | Messaging platform | Open source, self-hostable |
Certifications & Compliance Status
Current- GDPR compliance in progress
- HIPAA-aligned security controls implemented
- SOC 2 Type II audit in progress with Vanta (expected Q1 2026)
Questions?
For all support, compliance, and security questions:- Email: [email protected]
Vulnerability Disclosure
Found a security issue? We appreciate responsible disclosure:- Email: [email protected]
- Include: Detailed description, steps to reproduce, impact
- Don’t: Publicly disclose before we’ve fixed the issue
- We will: Acknowledge within 48 hours and work to remediate