Security at Chiropractic Outcomes

How we protect the data entrusted to us

Security at a Glance

Infrastructure Security

Chiropractic Outcomes is hosted on Amazon Web Services (AWS) within the European Union. AWS operates highly secure, certified data centers with extensive physical and environmental protections, including:

• 24/7 on-site security personnel and continuous video surveillance
• Strict physical access controls with multi-factor authentication for facility entry
• Redundant power systems, including battery backup and diesel generators
• Controlled hardware delivery and maintenance procedures

AWS holds multiple industry certifications including ISO 27001, SOC 1, SOC 2, and SOC 3, and is compliant with the EU’s data protection requirements. Full details of AWS security and compliance can be found at aws.amazon.com/compliance.

Encryption & Data Protection

All data is protected using modern encryption standards:

• Data in transit: All communication between users and the platform is encrypted using HTTPS (TLS 1.2 or higher), preventing interception.
• Data at rest: All stored data is encrypted using AES-256 encryption, one of the strongest standards available.

Access Controls

Clinic user management

Each clinic controls who can access their account and what permissions those users have within the platform. Access is managed at the clinic level, and administrators can add, remove, or modify user access at any time.

Support access

In limited circumstances, authorized members of the Chiropractic Outcomes support team may access a clinic account to investigate a technical issue or respond to a specific support request. Such access:

• Requires a legitimate support reason
• Is restricted to authorized personnel only
• Is used solely for troubleshooting or assisting the clinic

Authentication

Chiropractic Outcomes supports multi-factor authentication (MFA) for all user accounts. Authentication sessions are time-limited and require re-authentication to maintain secure access.

Vulnerability Management & Security Testing

We proactively identify and address security risks through:

• Dependency and patch management: Software dependencies are regularly reviewed and updated to address known vulnerabilities.
• Security scanning: Automated scanning is applied to identify common vulnerabilities in our application and infrastructure.
• Penetration testing: We conduct periodic security assessments to identify and remediate vulnerabilities before they can be exploited.

Backup & System Resilience

Chiropractic Outcomes performs automated daily backups of all patient and clinic data. Backup restoration is tested regularly to confirm reliability. In the event of a significant incident:

• Our target recovery point objective (RPO) — the maximum data loss window — is 24 hours.
• Our target recovery time objective (RTO) — the time to restore service — is within 24 hours for critical systems.

Infrastructure is continuously monitored, with automated alerting for anomalies or service degradation. Operational procedures are in place to respond quickly to unexpected incidents or service interruptions.

Incident Response & Breach Notification

We maintain a defined incident response process for security events. In the event of a confirmed data breach or security incident that may affect clinic or patient data:

• Affected clinics will be notified without undue delay, and in any case within 72 hours of us becoming aware of the incident, in line with GDPR Article 33 requirements.
• Notifications will include the nature of the incident, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach.
• We will cooperate fully with affected clinics and relevant supervisory authorities throughout the response process.

Clinics subject to HIPAA are responsible for their own breach notification obligations to patients and the U.S. Department of Health and Human Services (HHS) under the HIPAA Breach Notification Rule. We will provide all reasonable assistance to support this process.

Subprocessors & Third-Party Services

In operating the platform, Chiropractic Outcomes uses a limited number of trusted third-party service providers (subprocessors) who may process clinic or patient data on our behalf. All subprocessors are subject to:

• Contractual data processing agreements requiring them to protect data to at least the standard we maintain
• Assessment of their security and privacy practices prior to engagement
• Ongoing monitoring of their compliance

Our primary subprocessor for infrastructure is Amazon Web Services (AWS), used for cloud hosting and data storage within the EU. A current list of subprocessors is available upon request by contacting us at support@chiropracticoutcomes.com.

Data Storage & Residency

All survey data is processed and stored within the European Union, using AWS infrastructure. This applies to all clinics globally — including those based outside the EU.

Where clinic staff or administrators located outside the European Economic Area (EEA) access the platform, such access is subject to appropriate safeguards in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) where applicable.

Data Deletion & Offboarding

When a clinic ends its relationship with Chiropractic Outcomes:

• The clinic’s data remains accessible for a reasonable period following contract termination to allow export if required.
• Following that period, clinic and patient data is securely deleted from production systems.
• Residual copies in encrypted backups are deleted as backup cycles complete, typically within 180 days.

Clinics wishing to export their data prior to offboarding should contact us at support@chiropracticoutcomes.com to arrange this.

Compliance & Regulatory Framework

GDPR

Chiropractic Outcomes processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679. Clinics act as Data Controllers; Chiropractic Outcomes acts as Data Processor under a Data Processing Agreement (DPA). We support clinics in meeting their GDPR obligations, including patient consent, data subject rights, and secure processing of special category health data.

HIPAA

For clinics located in the United States, patient information collected through outcome surveys may constitute Protected Health Information (PHI) under HIPAA. Where applicable, Chiropractic Outcomes operates as a Business Associate and enters into a Business Associate Agreement (BAA) with each US clinic. The clinic, as the Covered Entity, retains responsibility for its own HIPAA compliance obligations.

Spanish Law (LOPDGDD)

Processing is also conducted in accordance with Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), applicable in Spain.

Certifications & Audits

Chiropractic Outcomes currently does not hold independent certifications such as SOC 2 or ISO 27001. We rely on the certified infrastructure of AWS and maintain internal controls aligned with best practices.

Clinics or enterprise groups with specific audit or certification requirements are encouraged to contact us to discuss their needs. We are committed to transparency and will provide relevant documentation on our security practices upon request.

Questions & Security Disclosures

If you have questions about our security practices, wish to request security documentation, or need to report a potential vulnerability, please contact us:

Email: support@chiropracticoutcomes.com

We take all security enquiries and disclosures seriously and will respond promptly.

This document reflects Chiropractic Outcomes’ security posture as of April 2026. It is intended for informational purposes and does not constitute a legally binding commitment. Details may be updated as our platform evolves.