General
      Back to home
      1. Help Center
      2. General

      FAQ for Upvio's Transparency and Control

      Here are some of the frequently asked questions on Upvio's security, transparency and control.

      Transparency and Control:

      Patients retain rights to access, rectify, or erase their data. We provide clear documentation on data-handling practices and respond to requests within GDPR timelines.  


      Notification:

      Any changes to data processing (e.g., new sub-processors) are communicated in advance, per contractual commitments. 


      Are standard GDPR protections in place for this?:
      Upvio adheres to GDPR standards for EU/Irish customers through SCCs and the EU-U.S. DPF for lawful cross-border data transfers, AES-256/TLS encryption, 72-hour breach alerts, and tools for patient data access/erasure (excluding archived clinical records).

      Do you use any third-party companies (sub-processors) to help run your service or store data? - If so, can we get a list of them, and will we be told if any new ones are added?:
      We are in the process of compiling the full list as part of our compliance work, transferring all security data into a dedicated security platform. Our new SOC2/ISO 27001 certification also forms part of this process. You will be notified of new additions via our Trust Center, and the full list will be available within the next 2 months. 

      If there’s ever a data breach, how quickly would we be told?
      We’re required by Irish law to report some breaches within 72 hours, so we’d need to hear from you as soon as something happens.
      Data Breach Notification  
      If a breach affecting Irish patient data occurs, Upvio will notify impacted customers within 72 hours of confirmation, per GDPR Article 33.  
        • Process:  
      Breaches are assessed immediately for risks to individuals’ rights.  
      Notifications include breach scope, consequences, and mitigation steps.  
        • Compliance:  
      Aligns with Irish Data Protection Act 2018/GDPR.  
      Documentation and transparency are maintained for audits.  
        • Customer Action:  
          • Report suspected breaches to Upvio promptly (e.g. support@upvio.com). 
          • Cooperate in investigations as required by Upvio’s terms.  
        • Assurance:

      Timely communication is prioritised, with terms likely detailed in Upvio’s DPA or breach policy.

       

      Security Breach Process:

      It commences with the detection of potential security issues through our monitoring systems and alerts from various sources. Once identified, our incident response team is promptly notified, initiating an investigation to determine the incident's scope and impact. We then take appropriate actions to mitigate the threat, recover affected systems, and implement preventative measures to avert future incidents. Throughout this process, we maintain clear communication and thorough documentation to ensure transparency and enhance our security practices continuously. Our public status page will always contain updates on our progress across the whole platform. If affected, individual customers will be contacted with the scope of the breach and how their data was affected.
      All services are kept updated on https://status.upvio.com/ 

      Patient Data Access


      Can your system help us respond if a patient asks to see, update, or delete their data?
      Do you help with that or would it all be on us?
      Yes, Upvio’s system supports GDPR-compliant responses to patient requests:  

      Access/Updates:  
      Patients can securely view or request edits to their data.  
      Audit logs track all changes for compliance.  


      Deletions:  
      Non-Archived Data: Removable upon validated requests.  
      Archived Data: Critical records (e.g medical history) are preserved for legal/clinical obligations and cannot be deleted.  


      Your Role:  
      Verify patient identity and authority.  

      Assess legal exceptions (e.g privacy risks).  


      Our Support:  
      Tools for secure access, edits, and deletion of non-archived data.  
      Guidance on workflows (legal decisions remain your responsibility).

       

      If we ever decide to move on from Upvio, what will happen to the data? --
      Is it easy to get all our patient data back, and how long does it take to delete everything safely?

      Process:
      Export patient records via CSV/Excel (demographics, appointments, notes) or ZIP files for full access requests (including attachments). Follow steps similar to bulk import workflows. 

      Timeline:
      Immediate for standard exports; complex requests (e.g full practice data) may require additional processing time. 

      Data Deletion:  
      Non-Archived Data: Deletable upon request via administrative tools.  
      Archived Data: This data is Retained for legal/clinical obligations and cannot be erased.

      Post-Termination:  
      Confirm export completion before account closure.  
      Deletion of non-archived data occurs per your request, with timelines dependent on system workflows (typically aligned with GDPR’s 30-day guidelines). 

      Support:
      Upvio provides export tools and guidance, but archival compliance remains your responsibility.
       
      Liability:
      If there’s ever a data issue or breach on your side, how does your policy handle that?
Would we be covered or helped in any way?
      Our liability framework, defined in our Master SaaS Agreement (MSA) and Business Associate Agreement (BAA), prioritises transparency and compliance:  
      • Incident Response:  
      Breach Mitigation: Upvio commits to immediate investigation, containment, and remediation of breaches, per our HIPAA Security Policy. This includes notifying affected customers within 72 hours if patient data is compromised.  
      Support: We provide forensic tools, audit logs, and guidance to help you meet regulatory reporting obligations (e.g GDPR, HIPAA). 
      • Liability Caps:  
      MSA Terms: Liability is typically capped at 12 months of subscription fees, unless higher liability arises from gross negligence or wilful misconduct. 
      Exceptions: Data privacy breaches may be excluded from standard caps, subject to carve-outs negotiated in your MSA. 
      • Indemnification:  
      Upvio indemnifies customers against third-party claims resulting from our failure to comply with data protection laws (e.g., HIPAA, GDPR).  
      Exclusions: Liability for breaches caused by customer misconfiguration or unauthorized access is not covered. 
      • Insurance Backing:  
      Upvio maintains insurance (aligned with ProRisk-style policies to cover breach response costs, legal fees, and regulatory fines where applicable.  
      • Shared Responsibilities:  
      Your Role: Implement access controls, monitor user activity, and report incidents promptly.

      Our Role: Secure infrastructure, encrypt data (AES-256/TLS), and maintain breach response protocols.  
       

      Irish Law Compliance

       
      We’re also wondering if your platform has been reviewed against any specific EU health data rules — not just general GDPR?
      Irish/EU Health Data Compliance  
      While our platform has not undergone a specific Irish health data compliance review, we align with EU-wide standards:  
      Key Compliance: 
      1. GDPR: Adheres to Articles 6/9 for lawful health data processing and cross-border transfers via SCCs.  
      2. EHDS Alignment: Supports interoperability (HL7/FHIR) and secure data exchange to meet future EU Health Data Space requirements.  
      3. Security Commitments:  
      Encryption (AES-256/TLS) for data at rest and in transit.  
      Access controls, audit logs, and breach notification within 72 hours.  
      SOC 2 and ISO 27001 certifications are currently in progress, with timelines shared upon request.  
      • Irish Health Data: Archive systems ensure clinical/legal data retention compatible with Ireland’s Health Information Bill principles.  

       

      Focus on GDPR


      Some of your documents talk a lot about U.S. laws (like HIPAA), but we’re in Ireland, so GDPR is the priority for us.

      Can you confirm that GDPR is fully covered and that your platform is built to meet those rules? 
      Yes, Upvio’s platform is designed to fully comply with GDPR as a global priority, alongside HIPAA and other regional frameworks. Here’s how we meet Irish/EU requirements:  

      Key GDPR Alignments:  
      • Data Processing Addendum (DPA):  
      Our DPA incorporates Standard Contractual Clauses (SCCs) for lawful cross-border data transfers outside the EU/EEA, including to AWS USA servers.  
      Ensures all sub-processors (e.g AWS, Stripe) meet GDPR obligations.  
      • Data Protection by Design:  
      Encryption: AES-256 for data at rest, TLS 1.2+ for data in transit.  
      Access Controls: Role-based permissions, audit logs, and MFA to restrict unauthorized access.  
      Data Minimization: Collect only necessary patient data via customizable forms.  
      • Patient Rights:  
      Access/Portability: Export patient data via CSV/ZIP files for DSARs (Data Subject Access Requests).  
      Erasure: Non-archived data is deletable upon request; archived records are retained for legal obligations.  
      Rectification: Patients or providers can update records securely.  
      • Transparency & Accountability:  
      Breach Notification: Alert customers within 72 hours of confirmed GDPR-reportable breaches.  
      DPIA Support: Tools for Data Protection Impact Assessments (e.g., access logs, risk analysis).  
      • Certifications in Progress:  
      SOC 2 & ISO 27001: Undergoing audits to strengthen security posture, complementing existing HIPAA/GDPR compliance.  
      For additional Links, please default to all policies and agreements.  
      https://upvio.com/gdpr-policy
      https://upvio.com/hipaa-privacy-and-security-policy
      https://upvio.com/master-saas-agreement 
      https://status.upvio.com/