website & Platform

Privacy policy

Effective Date: October 30, 2025

1. Introduction: Our Role and Scope

This Privacy Policy explains how Scala, a Platform-as-a-Service (PaaS) provider, handles two different categories of personal information. Our privacy program is governed by a robust internal policy framework, including our Privacy, Use, and Disclosure Policy (HIPAA), and is designed to meet the requirements of the HIPAA Privacy Rule and is subject to external review under the SOC 2 Type 2 attestation.

Role	Data Type	Governance
Data Controller (Primary Role for Users)	Customer Personal Information (PII)	Governed by this Privacy Policy and general privacy laws.
Business Associate (BA)	Protected Health Information (PHI)	Governed strictly by the Business Associate Agreement (BAA) with our clients and the HIPAA Privacy Rule.

2. Customer Personal Information (PII) We Collect and Use (SOC 2 Focus)

This section covers the information we collect directly from you (our client contact, employee, or website visitor) to manage our business relationship and ensure platform operation. Scala acts as the Data Controller for this PII. We collect PII only for the purposes identified in this Notice.

Category of PII	Examples of Data Collected	Purpose of Collection (SOC 2 Notice)
Account/Service Data	Name, job title, company address, work email, phone number, login credentials.	To establish and manage your user account, provide customer support, and process billing.
Technical & Usage Data	IP addresses, browser information, session duration, and unique device IDs.	To ensure platform security (Security TSC), availability (Availability TSC), verify user identity, and for internal system monitoring.
Communication Data	Information provided via email, chat, or support tickets.	To respond to your inquiries, provide technical support, and fulfill service requests.

3. Protected Health Information (PHI) Handling (HIPAA Focus)

We do not own or control PHI. We process it as a Business Associate (BA) on behalf of our healthcare clients (Covered Entities).

Our Obligation: Scala uses and discloses PHI only as permitted by our client and as strictly required or allowed by the Business Associate Agreement (BAA) and the HIPAA Privacy Rule. We will not use PHI for any independent purpose, such as marketing or monetization.
Individual Rights: If you are an individual (patient) seeking access, amend, or request an accounting of disclosures related to your PHI, you must contact your healthcare provider (the Covered Entity) directly. We will fully cooperate with our client to fulfill their HIPAA obligations.

4. Security, Retention, and Compliance Attestations

4.1 Security and Safeguards

We implement and maintain administrative, technical, and physical safeguards to protect both PII and PHI. These safeguards include encryption, access controls, and regular system monitoring. Our controls are tested and formally reviewed by independent auditors.

4.2 Compliance Assurance (SOC 2 Type 2)

Scala's commitment to data protection is demonstrated through an annual, independent third-party audit of our controls. This audit results in a SOC 2 Type 2 Report, which assesses the effective operation of our systems against the following Trust Services Criteria (TSC):

Security: Protecting our system against unauthorized access and disclosure.
Availability: Ensuring system uptime and operation as committed.
Confidentiality: Protecting information designated as confidential (e.g., business plans, intellectual property).
Privacy: Safeguarding personal information (PII) in conformity with the commitments made in this policy.

4.3 Data Retention and Destruction

We retain PII only for as long as necessary to fulfill the purposes for which it was collected. PHI retention is strictly dictated by the BAA with our Covered Entity client. Upon termination of a service, we follow documented procedures for the secure and permanent destruction or return of all data, including PHI and PII.

5. Your Rights and Choices

We respect your privacy rights over the PII we collect directly from you. We offer you the following choices (Choice and Consent Principle):

Access and Correction: You may request access to the PII we hold about you or ask us to correct any inaccurate PII.
Deletion: You may request the deletion of your PII, subject to our legal and contractual necessities (e.g., retaining PHI subject to a BAA is required by law).
Opt-out: You may opt-out of receiving non-essential marketing communications from us.

6. Contact Information

For questions, complaints, or to exercise your rights regarding this policy or the PII we collect directly, please contact us.

For inquiries regarding PHI (patient data) rights, please contact your respective healthcare provider.