SurroSync
Compliance

HIPAA Notice of Privacy Practices

Effective Date: June 1, 2026 Β· This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

πŸ›‘

SOC 2 Type II

Audit in Progress Β· Expected Q4 2026

πŸ”

AES-256 Encryption

All PHI encrypted at rest & in transit

πŸ”’

TLS 1.3

All connections encrypted in transit

⏱

Auto-Logout

15-minute inactivity lock on PHI screens

πŸ“‹

BAA Covered

All sub-processors under signed BAA

Who Is Covered by This Notice

This Notice applies to SurroSync Inc. in its capacity as a HIPAA Business Associate to licensed healthcare providers using the Clinic Portal. When SurroSync processes, stores, or transmits Protected Health Information (PHI) on behalf of a Covered Entity (e.g., an IVF clinic), it does so under a Business Associate Agreement (BAA) and is subject to HIPAA Privacy and Security Rules.

What Is Protected Health Information (PHI)

PHI is any individually identifiable health information that we create, receive, maintain, or transmit on behalf of a Covered Entity. On the SurroSync platform, PHI includes:

  • IVF cycle data: stimulation protocols, egg retrieval records, embryo grading, PGT results
  • Surrogate health history and pregnancy monitoring records
  • Trigger timing and medication administration schedules
  • Lab results, diagnostic images, and clinical notes uploaded via Clinic Portal
  • Any other medical data that identifies or could reasonably identify an individual

How We May Use and Disclose Your PHI

Treatment

PHI may be disclosed to other healthcare providers involved in your reproductive care (e.g., OB/GYN receiving embryo transfer records from the IVF clinic, or a NICU team receiving prenatal data from the maternity hospital).

Payment

PHI may be used to verify insurance coverage, process reimbursements, or coordinate escrow milestone disbursements tied to medical events (e.g., confirmed viable pregnancy at 8 weeks).

Healthcare Operations

We may use de-identified or aggregated PHI for quality assurance, clinical outcome reporting, and platform safety improvements.

Legal Compliance

We may disclose PHI as required by law, including to respond to court orders, subpoenas, or public health authorities.

Authorization-Required Uses

All other uses or disclosures β€” including psychotherapy notes, marketing, or sale of PHI β€” require your written authorization. You may revoke such authorization at any time.

Your Rights Regarding PHI

Right of Access

Request a copy of your health information held in Clinic Portal within 30 days.

Right to Amend

Request amendment of PHI you believe is incorrect or incomplete.

Right to an Accounting

Request a list of disclosures of your PHI made in the prior 6 years.

Right to Restrict

Request restrictions on how PHI is used or disclosed for treatment, payment, or operations.

Right to Confidential Communications

Request that we contact you only through certain means or at certain locations.

Right to a Paper Copy

Receive a paper copy of this Notice upon request, even if you agreed to receive it electronically.

To exercise any of these rights, contact the Privacy Officer at hipaa@surrosync.com or use the DSAR Portal.

Technical & Administrative Safeguards

SurroSync implements comprehensive safeguards per the HIPAA Security Rule:

Access Controls

  • Role-based access: only assigned care team members can view patient records
  • PHI_Access_Logs: every read, write, and export event is logged with user ID, timestamp, and IP
  • Minimum-necessary principle enforced at the API layer

Audit Controls

  • PHI_Access_Logs retained for 6 years, write-once append-only
  • Monthly automated audit report sent to clinic Privacy Officer
  • Anomaly detection alerts for bulk exports or off-hours access

Integrity Controls

  • All PHI stored with SHA-256 checksums
  • Database replication with integrity verification across availability zones
  • Daily encrypted backups with 90-day retention

Transmission Security

  • TLS 1.3 for all API calls and web sessions
  • mTLS for clinic-to-clinic integrations
  • End-to-end encrypted messaging for all party communications

Workstation Security

  • 15-minute auto-logout enforced on all PHI-enabled screens
  • Session tokens expire after 4 hours of inactivity
  • Mobile app requires biometric or PIN re-authentication for PHI views
Audit Trail

PHI_Access_Logs Schema

Every interaction with protected health information is recorded immutably.

ColumnTypeDescription
log_idUUIDUnique log entry identifier
accessor_idUUIDID of user or service account accessing PHI
accessor_roleENUM"physician", "nurse", "clinic_admin", "system", "surrosync_support"
patient_idUUID (hashed)De-identified patient reference
record_typeVARCHAR"cycle", "embryo", "medication", "pgt_result", "trigger"
actionENUM"read", "write", "export", "delete_request"
accessed_atTIMESTAMPTZUTC timestamp of the access event
ip_addressINET (hashed)SHA-256 hash of accessor IP
clinic_idUUIDID of the Covered Entity (clinic)

Breach Notification

In the event of a breach of unsecured PHI, SurroSync will notify affected individuals within 60 days of discovery, as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). If the breach affects 500 or more residents of a state or jurisdiction, we will also notify the Secretary of HHS and prominent media outlets in that state within 60 days.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with SurroSync or with the U.S. Department of Health and Human Services Office for Civil Rights. Filing a complaint will not result in retaliation.

SurroSync Privacy Officer

hipaa@surrosync.com

HHS Office for Civil Rights

hhs.gov/ocr/privacy/hipaa/complaints

Changes to This Notice

SurroSync reserves the right to change the terms of this Notice and to make the new Notice effective for all PHI it maintains. If material changes are made, we will post the new Notice on our website and, where required, notify affected individuals directly.