Patient information, including data that falls within the scope of HIPAA and the Pearly BAA, is persisted on Google Cloud Platform (GCP) and Confluent Cloud. Pearly has countersigned BAAs with these entities and has verified their compliance with HIPAA, SOC2, and ISO 27001.
Within Pearly's cloud infrastructure, we employ the following practices to ensure data integrity and security: 1) Virtual Private Cloud isolation and peering, 2) Encryption of Data At Rest (AES-256) and In Transit (TLS) 3) Anonymization of Non-Production data
Pearly relies on the industry-standard Google Identity Platform within GCP for API-level identity management of both Practice Users and Patients.
Our identity layer consists of SHA-2 encrypted password management and authentication, role-based, session-delimited access controls, and application level authorization logic.
All credit card, debit card, ACH, and other payment method data is collected, stored, and processed via Stripe.
Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.
Pearly maintains and enforces an Internal Security Policy. This policy establishes information security controls and business practices to ensure the protection of sensitive data, specifically Protected Health Information, within the managed services, infrastructure, and business systems operated by Pearly Technology, Inc.