Trust & Compliance Center

Rhapsody is committed to the security and privacy of your data. Here you can find our compliance certifications and review our privacy posture.

SOC 2 Type II

Reporting period: May 2024 – April 2025

Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. Please request access to view the full report.

Request Access

ISO/IEC 27001:2022

Valid until April 2028

The latest international standard on how to manage information security. Download our certificate of registration.

Download Certificate (PDF)

EU-US & UK-US Data Privacy Framework

Valid until July 2026

Certified under the EU-US and UK Extension to the Data Privacy Framework, demonstrating our commitment to lawful transatlantic data transfers. View our certification on the official DPF list.

View Certificate

HITRUST e1 Certified

Valid until Dec 2026

Demonstrates our commitment to essential cybersecurity hygiene through the HITRUST Essentials, 1-year (e1) Certification. Please request access to view the report.

Request Access

Cyber Essentials Plus

Valid until June 2026

The highest level of certification, this involves a hands-on technical verification of our cyber security in the UK. Download our certificate of assurance.

Download Certificate (PDF)

Penetration Test Attestation

Valid until March 2025

Summary of our latest third-party penetration test, validating the security of our platform and infrastructure. Please request access for the full attestation.

Request Access

Privacy by Design & Data Governance

Rhapsody’s commitment to privacy is foundational. We operate on a “privacy by design” principle, integrating data protection into every aspect of our products and services. For our customers, we act as a Data Processor, meaning we process your data only according to your instructions and our contractual agreements (e.g., DPAs and BAAs).

You own your data. Our role is to provide a secure, robust platform for you to manage and exchange it, with governance controls built-in to maintain data integrity and isolation.

Global Compliance & Standards

We are dedicated to meeting rigorous global privacy and security standards to support your compliance needs:

HIPAA: We support our healthcare customers’ compliance with HIPAA by signing Business Associate Agreements (BAAs) and implementing the necessary technical safeguards to protect PHI.
GDPR & International Transfers: For customers subject to GDPR, we provide a Data Processing Addendum (DPA) that includes Standard Contractual Clauses (SCCs). We also offer guidance on Data Transfer Impact Assessments (DTIAs) to ensure lawful international data flows.
Data Privacy Framework (DPF): We support lawful transatlantic data transfers through mechanisms like the EU-US Data Privacy Framework (including its UK Extensions). Our adherence to the DPF Principles provides a reliable legal basis for transferring personal data to the US, ensuring protection consistent with international law.
ONC Cures Act: Our products are designed to support the interoperability and information sharing requirements of the 21st Century Cures Act, promoting secure and transparent data exchange in healthcare.

Technical & Organizational Security

Our privacy commitments are backed by robust, independently-audited security measures. Our ISO 27001, SOC 2, and HITRUST certifications validate our comprehensive security program, which includes:

End-to-End Encryption: Data is protected with strong encryption (e.g., TLS 1.2+ for data in transit, AES-256 for data at rest).
Strict Access Control: We enforce the principle of least privilege with role-based access controls and conduct regular access reviews.
Comprehensive Auditing: Detailed audit logs provide visibility into system and data access, ensuring accountability.
Vendor Management: We maintain a formal program to assess the security and privacy practices of all our sub-processors.

Data Subject Rights & Transparency

We are committed to transparency and supporting your data rights. As a data processor, we assist our customers in responding to Data Subject Requests (DSRs) from individuals (e.g., for access, correction, or deletion) in a timely manner.

Data Retention: We retain personal information only for as long as necessary to fulfill the purposes outlined in our customer agreements and privacy policy, or as required by law.
Your Choices: You can manage your communication preferences and opt out of marketing emails at any time.

For any questions about our privacy practices, please contact us at compliance@rhapsody.health.

Our reports cover the Security, Availability, and Confidentiality Trust Services Criteria. The Security principle is the foundation, ensuring we protect against unauthorized access. Availability ensures our services are operational as committed, and Confidentiality ensures that data designated as confidential is protected.

Rhapsody maintains a formal risk management program. We conduct regular risk assessments to identify, evaluate, and mitigate security and operational risks. This process includes assigning risk owners and tracking mitigation efforts to ensure continuous improvement of our security posture.

We enforce the principle of least privilege. Access to data and systems is strictly role-based and requires documented approval. We perform quarterly access reviews, and our controls are designed to prevent unauthorized access, ensuring that only necessary personnel can interact with sensitive information.

Yes. Our use of strong encryption for data at rest (e.g., AES-256) and in transit (e.g., TLS 1.2+) is a critical control. This ensures the confidentiality and integrity of customer data across our platform.

We have a comprehensive Business Continuity and Disaster Recovery (BCDR) plan, which is tested annually. This plan includes data backups, failover procedures, and strategies to ensure our services remain available and resilient in the event of an unexpected disruption.

Our security standards extend to our vendors. We have a formal vendor management program that assesses the security posture of our sub-processors and other key vendors before engagement and on an ongoing basis to ensure they meet our security and compliance requirements.

Rhapsody is designed to support our customers’ HIPAA compliance obligations. Our platform includes robust security features like end-to-end encryption, comprehensive audit logging, and strict access controls to safeguard Protected Health Information (PHI). We sign Business Associate Agreements (BAAs) with our customers to contractually uphold our shared responsibilities in protecting health data. Our HITRUST certification and other independent audits further validate the strength of these controls.

Data governance is central to our platform. We provide tools that give our customers full control and visibility over their data flows. Customer data is logically isolated, and our policies ensure that we only process data according to our customer agreements. You own your data, and we provide the secure foundation to manage and exchange it effectively.

Rhapsody is committed to adhering to many global data privacy standards, including GDPR. We sign Data Processing Addendum (DPA) with our customers that incorporate the GDPR Standard Contractual Clauses (SCCs) to ensure lawful data transfers. In addition, we rely on mechanisms like the EU-US Data Privacy Framework (including its UK Extension). Our platform enables customers to meet their obligations regarding data subject rights, and we apply our high standards of data protection to all customers, regardless of their location.

Yes, we understand the importance of data residency for many of our customers. Our cloud-native services can be deployed in specific geographic regions through our cloud provider partners (like AWS and Azure). This allows customers to keep their data within defined geopolitical boundaries to meet regulatory and policy requirements. Customers are welcome to self-host in GCP. Please discuss your specific needs with our team.