Security by Design
Security of client information and privacy is at the foundation of the Greenspace platform. We take this responsibility seriously and have implemented significant measures to safeguard clients' personal health information (PHI) that exceed industry standards. Greenspace's commitment to information security within the organization is codified in its Information Security Program, which establishes direction and requirements for securing PHI against theft, loss, unauthorized use, disclosure, disruption, modification, and disposal.
Greenspace is SOC 2 Type II compliant and conforms to digital and physical security protocols (including PIPEDA and PHIPA), with data encrypted in transit using TLS and at rest using AES encryption at the filesystem level, and firewalls protecting all data. We take many additional precautions to protect privacy including: requiring strong passwords, automatic logouts, automatic access logging, secured data backups, multi-factor authentication and restrictive data access procedures. All PHO is stored in Canada.
Security Features
Below are some of the measures that have been implemented to safeguard patient data and information.
Data Encryption
Data is encrypted in transit using SSL/TLS and at rest using AES-256. Greenspace applies modern cryptographic standards to protect sensitive information across the platform.
Monitoring and Threat Detection
Greenspace maintains centralized logging and continuous monitoring across the application, infrastructure, and hosting environment. Access events and suspicious activity are logged, monitored, and investigated to support rapid detection and response. Host-based intrusion detection is installed on all platform hosts to identify potential system-level intrusions and other anomalous activity.
Access Control and Authentication
Passwords are cryptographically salted and hashed before storage and are never stored in plain text. Multi-factor authentication is required for Greenspace workforce members, and is available for all users to configure. Single sign-on is supported for customers who want to manage authentication through their own identity provider.
Data Storage and Residency
Databases are encrypted and backed up on a regular schedule to support resilience and recovery. Backup data is stored in a separate Canadian region, and recovery procedures are tested regularly as part of Greenspace’s business continuity and disaster recovery program. Database backups are automatically completed on a regular schedule. Databases are encrypted, backed up nightly, and stored in multiple locations.
Independent Testing
Greenspace’s information security program includes annual SOC 2 Type II audits, annual independent penetration testing, and monthly automated vulnerability scanning across network, host, and application layers.
Incident Response and Service Resilience
Greenspace maintains formal incident response, business continuity, and disaster recovery plans. If a confirmed security incident affects customer data, Greenspace follows documented notification and response procedures and provides ongoing updates through resolution.
Data Encryption
Data is encrypted in transit using SSL/TLS and at rest using AES-256. Greenspace applies modern cryptographic standards to protect sensitive information across the platform.
Monitoring and Threat Detection
Greenspace maintains centralized logging and continuous monitoring across the application, infrastructure, and hosting environment. Access events and suspicious activity are logged, monitored, and investigated to support rapid detection and response. Host-based intrusion detection is installed on all platform hosts to identify potential system-level intrusions and other anomalous activity.
Access Control and Authentication
Passwords are cryptographically salted and hashed before storage and are never stored in plain text. Multi-factor authentication is required for Greenspace workforce members, and is available for all users to configure. Single sign-on is supported for customers who want to manage authentication through their own identity provider.
Data Storage and Residency
Databases are encrypted and backed up on a regular schedule to support resilience and recovery. Backup data is stored in a separate Canadian region, and recovery procedures are tested regularly as part of Greenspace’s business continuity and disaster recovery program. Database backups are automatically completed on a regular schedule. Databases are encrypted, backed up nightly, and stored in multiple locations.
Independent Testing
Greenspace’s information security program includes annual SOC 2 Type II audits, annual independent penetration testing, and monthly automated vulnerability scanning across network, host, and application layers.
Incident Response and Service Resilience
Greenspace maintains formal incident response, business continuity, and disaster recovery plans. If a confirmed security incident affects customer data, Greenspace follows documented notification and response procedures and provides ongoing updates through resolution.
FREQUENTLY ASKED QUESTIONS
Categories
Is Greenspace compliant with Canadian privacy legislation?
Yes. Greenspace is compliant with all Canadian federal and provincial privacy legislation, including the Personal Information Protection and Electronic Documents Act, the Personal Health Information Protection Act, 2004 (Ontario), the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia), and An Act respecting the protection of personal information in the private sector (Quebec).
Is Greenspace SOC 2 Compliant?
Yes. As part of Greenspace’s commitment to ensure best-in-class privacy and security standards, Greenspace has completed a SOC 2 Type II review by an independent AICPA auditing firm that has examined our control objectives and activities, and tested our controls to ensure operational excellence. Reach out anytime if you’d like to discuss privacy and security, learn more or review our SOC 2 Type II Report.
Does Greenspace maintain security practices in line with industry best practices?
Greenspace maintains administrative, technical and physical safeguards that are aligned with industry best practices. Greenspace’s commitment to information security within the organization is codified in its Information Security Program. The Information Security Program provides direction and requirements with respect to the security of PHI to guard against theft, loss, unauthorized use, disclosure, disruption, modification or disposal.
Has Greenspace been through a privacy and security review at major hospitals and/or health systems?
Yes, Greenspace has passed privacy and security reviews at many major US hospitals and health systems. Greenspace supports customers through any necessary privacy and security review processes, and we will work directly with security and privacy teams to provide any necessary documentation and support.
Do Greenspace workforce members complete privacy and security training?
Yes. All Greenspace workforce members are required to complete information security and privacy awareness training as part of the onboarding process and at least annually thereafter. The level and type of training is tailored based on the specific role and responsibilities of each workforce member.
Who can see clients’ protected health information?
Access to protected health information in Greenspace is role-based and configured by each customer. The customer determines which administrators and clinicians are permissioned to see each client’s PHI. Greenspace workforce members’ access to PHI is strictly limited to authorized personnel supporting platform operations, security and customer support functions, and is protected by need-to-know access controls, multi-factor authentication, audit logging, and regular access reviews.
Is any client information or data shared with or sold to any third parties?
Greenspace does not sell customer or client data. We disclose information to authorized service providers (as set out in our Privacy Policy) that support delivery of the platform (such as cloud hosting providers), subject to contractual privacy and security obligations, or where required or permitted by law. Outside of these limited circumstances, Greenspace does not trade, rent, or sell personal information.
Is it secure for clients to complete assessments online?
Assessments delivered to clients — whether in office, by email, or by SMS — do not contain any personally identifying information. All data submitted by clients is transmitted to the platform over encrypted HTTPS connections. No identifying client health information is ever sent over unsecured channels.
Where is my information stored and is it secure?
Greenspace operates a cloud-native infrastructure designed for healthcare data security. Core platform services for Canadian customers are hosted in Canada using trusted cloud providers, including Aptible on AWS (ISO 27001, SOC 2 Type II, HITRUST CSF) for the web application platform and Google Cloud Platform (ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, FedRAMP) for data analytics and AI services. All PHI is stored in Canada. The only exception is with respect to PHI collected using the AI voice agent module where clients can complete their assessments verbally by phone (for customers who have opted-in to use of the AI voice agent module).
Does Greenspace use artificial intelligence, and how is client data protected?
Yes. Greenspace uses AI and machine learning within its platform, including features such as predictive analytics and AI-assisted automation tools. To protect client privacy, only de-identified data (with all direct identifiers removed) is used for AI purposes. Customers can opt out of AI and machine learning data use at any time (opting out removes access to AI-powered features). Greenspace’s use of AI is governed by a formal Responsible Use of AI Policy and is covered under the annual SOC 2 Type II audit.
