Trust & Compliance

Built to clear your security review.

One URL to forward to your IT, security, MLR, or procurement team. Everything they need — architecture, subprocessors, certifications, the no-PHI posture, the data-handling answers — consolidated. Designed to clear a vendor security questionnaire in one read.

Architectural posture

No PHI ever crosses. By design.

Veeva CRM sits inside Demo Therapeutics's HIPAA-compliant environment. What flows from Veeva to OVYN is already de-identified before crossing the boundary — minimum cohort of 25, no PHI, no PII. We see what performed, not who experienced it. That makes us a non-covered entity by design — no BAA needed because no PHI ever crosses.

Headline

We are not a covered entity. No BAA required.

DPA available · security review on request

This page answers

The 12 questions your security team will ask.

· Do you have SOC 2?

· Are you HIPAA compliant?

· Do we need a BAA with you?

· Where does our data live?

· Is our data used to train your AI?

· Who are your subprocessors?

· Are you HITRUST certified?

· Are you 21 CFR Part 11 compliant?

· What's your incident response SLA?

· Do you sign DPAs?

· Can we run a pen test against your system?

· Where does the GenAI inference happen?

Compliance posture · framework by framework

Where we stand on each certification or framework.

Not a HIPAA covered entityArchitectural · enforced by data flow

OVYN does not handle PHI. All Veeva CRM data is de-identified by Demo Therapeutics before crossing the boundary — minimum cohort of 25, no patient-level records, 14 aggregate fields max. Therefore no BAA is required between Demo Therapeutics and OVYN. We are happy to sign a DPA on request.

SOC 2 Type 2 — infrastructureInherited from subprocessors

All upstream subprocessors (Anthropic, Vercel, Twilio, Turso) hold or are pursuing SOC 2 Type 2 certification. Reports available on request from each provider's trust portal.

SOC 2 Type 2 — OVYNRoadmap · 3–4 months for Type 1

OVYN as a company is not yet SOC 2 certified. We're a small studio. SOC 2 Type 1 process can be initiated within 30 days if Demo Therapeutics requires it as a deal condition; Type 2 follows after a 6-month observation window.

HITRUST-alignedAligned · not certified

We follow HITRUST-aligned data-handling practices: minimum-necessary access, encryption everywhere, audit trails, breach notification SLA. Not certified — alignment, not assessment. Common posture for boutique vendors.

FDA / OPDP compliancePre-MLR rail · standing instructions

Generation rail enforces fair-balance proximity, comparative-claim restrictions, outcome-guarantee prohibitions, off-label scope, and ISI requirements before content reaches your MLR team. Every variant is scored against your standing rules with auto-rewrite suggestions on flag.

21 CFR Part 11Veeva is the regulated layer

Part 11 governs electronic records / signatures for FDA-regulated systems. Your Veeva instance is the regulated record. OVYN sits beside it; the moment content lands in PromoMats, your Part 11 controls take over. We don't claim Part 11 compliance ourselves because the regulated record-of-truth is Veeva.

Subprocessor list · disclosed up front

Every vendor in the data path. With certifications + scope.

Standard pharma vendor questionnaires ask for this — most agencies provide it grudgingly, only on request. We publish it before you ask. New subprocessors require 30 days' notice and your right to object.

Vendor

Role

Region

Certifications + scope

Trust

Anthropic

AI inference (Claude)

US

SOC 2 Type 2

Receives generation prompts. Per Anthropic enterprise terms, customer prompts and completions are NOT used to train foundation models. 30-day retention max for abuse monitoring; can be disabled.

Trust →

Vercel

Hosting + edge compute

US

SOC 2 Type 2 · ISO 27001 · HIPAA-eligible

Serves the OVYN application. No customer content stored at rest in Vercel — used as compute layer only. SSL/TLS terminated at edge.

Trust →

Twilio

Email + SMS infrastructure

US

SOC 2 Type 2 · HIPAA-eligible (with BAA)

Used only when client opts into transactional email or SMS. Not used for any patient-data transport. BAA available if Demo Therapeutics enables HIPAA-scoped messaging.

Trust →

Turso (libsql)

Operational database

US (us-east-1)

Encrypted at rest · audit reports on request

Stores OVYN platform metadata only — variant IDs, brief structures, user accounts. NEVER stores patient-level data. AES-256 at rest. Multi-region replication disabled by default. Provider's current attestation status available on request to trust@ephicacyhealth.com.

Trust →

Architecture · the facts

Specifics for your IT review.

Region

All US-based hosting (us-east-1). No data egress outside the US by default.

Encryption · in transit

TLS 1.3 enforced on every connection. HSTS 1-year preload eligible.

Encryption · at rest

AES-256 across all subprocessors. Database, object store, backups.

Authentication

OAuth 2.0 to Veeva sandbox first, then production with read/write scope. No shared credentials. SCIM-ready for enterprise SSO during onboarding.

Audit log

Every variant generation, MLR decision, deployment, and Veeva sync is logged with timestamp + actor + content hash. Immutable, append-only. Exportable for audit.

Backups

Daily snapshots, 30-day retention. Cross-region copy disabled by default per data-residency policy.

Incident response

Documented runbook. < 4hr notification on confirmed breach. Quarterly tabletop exercises.

Penetration testing

Annual third-party pen test scheduled for Q3 2026. Internal continuous SAST/DAST in CI.

The question pharma asks every AI agency

"Is our data used to train your AI?"

No client data is used to train any foundation model. Period.
Anthropic enterprise terms prohibit it for our account; we have it in writing.
Brand brain inputs (claims library, ISI, voice rules, performance data) are retrieved at generation time only — not absorbed into model weights.
Outputs you approve and we deploy are also not used to train any model.

Documents available · on request

What we'll send your security team.

Data Processing Agreement (DPA)

Standard CCPA/GDPR template, signed

Subprocessor change notice

30-day advance notification policy

Vendor security questionnaire response

Pre-filled SIG Lite + CAIQ

Architecture diagram

Full data-flow diagram, no-PHI annotation

Insurance certificates

E&O + cyber liability + general

Sample audit log export

JSON-formatted, last 30 days

Subprocessor SOC 2 reports

Routed from each vendor's trust portal

BAA template (if needed later)

If scope expands to PHI handling

Send the request to: trust@ephicacyhealth.com — typical turnaround under 1 business day. We'll route the right document and offer a 30-min call with whoever your security lead wants to ask questions of.

Once your security team clears

Send a brief — first 12 versions in 48 hours, no commitment.

Start a pilot →

Forward thisOne click to the right page for whoever you need to loop in.

Exec one-pager → CMO Trust & Compliance → Security Engagement → Procurement Track record → Skeptic FAQ → Anyone Start a pilot → Action

What's underneathArchitecture · advisors · published thinking.

Architecture Intelligence · Content Engine · Activation · Measurement Brain Trust Named advisors Research Ephicacy Health · published

Talk to us30 minutes with Maha + Zein. No deck, no sales motion. We answer your questions.

Schedule a demo →hello@ephicacyhealth.com

About Ephicacy Health

We’re building something different.

Ephicacy Healthcare Communications is where the precision of science, the art of storytelling, and intelligent operations converge to reshape healthcare communications — across medical communications, creative advertising, and public relations. OVYN™ is the platform that delivers that work at modern speed.

Let’s Collaborate →

Five expertise pillars

Strategic Leadership
Medical Communications
Creative Advertising
Public Relations
Customer Experience
Data-Driven Imagination

136

Years collective experience

31+

Product launches

Global offices

100%

Independent