Vitala
Evidence · Security & Compliance

Healthcare-grade infrastructure, from the ground up.

Vitala is designed for real clinical environments — with the privacy, security, and compliance posture that healthcare organizations require.

Compliance status

Where we stand on the frameworks buyers ask about.

The table below reflects our current posture. Specific documentation — BAA, DPA, SOC 2 report, sub-processor list, penetration-test summary — is shared under NDA during partnership review.

FrameworkScopeStatusNotes
HIPAAUnited StatesAlignedBAA available under partnership agreement.
GDPREuropean UnionAlignedDPA available under partnership agreement.
SOC 2 Type IITrust Services CriteriaIn progressReport available on request when complete.
ISO 27001Information SecurityIn progress
HITRUST CSFHealthcare risk frameworkOn requestDiscuss timing during partnership review.
CE Mark (MDR)EU medical device frameworkOn requestRegulatory classification depends on deployment scope.
FDA registrationUnited StatesOn requestRegulatory classification depends on deployment scope.

Vitala does not claim independent certification unless explicitly stated. "Aligned" reflects operational practices; formal audit status is shared during partnership review.

Data handling

How patient data is protected across the platform.

Data residency

Regional hosting available for EU and US deployments. Discussed per partnership.

Encryption

In transit via TLS and at rest with industry-standard encryption.

Access controls

Role-based access. SSO / SAML available for enterprise deployments on request.

Audit logging

Access and administrative actions are logged for review.

Vendor & sub-processor posture

Sub-processor list, hosting regions, and retention schedule are shared with prospective partners under NDA. Vitala reviews sub-processors before engagement and notifies partners of material changes per agreement terms.

Incident & breach handling

Vitala maintains an incident response process aligned with HIPAA and GDPR breach-notification expectations. Specific SLAs are defined in the partnership and data-processing agreements.

Security principles

Built for the trust healthcare demands.

Privacy by Design

Patient data handled with healthcare-grade privacy controls.

Encryption in Transit & at Rest

Industry-standard encryption across the platform.

Regulatory Alignment

Aligned with the frameworks healthcare organizations rely on.

Access Controls

Role-based access designed for clinical and operational use.

Resilient Infrastructure

Cloud infrastructure built for uptime and continuity.

Documentation Support

Provider-aligned records that fit into real clinical workflows.

Build with confidence on Vitala.

Partner with Vitala to bring Exercise as Medicine to your patients — on healthcare-grade infrastructure. Specific compliance documentation shared under NDA.