Our Commitment: Protecting Your Data 

Last update: July 2025
Overview

Security 

Petal empowers healthcare organizations on a data-driven cloud platform to orchestrate healthcare workflows in real-time. To do this, Petal places maximum importance on data security. 

Data Ownership and Residency 

Data used through Petal technology solutions remains the client’s property and is hosted in Canada. 

Data Encryption 

• In transit: Data is encrypted using the Transport Layer Security protocol, version 1.2 (TLS 1.2) or higher. 

• At rest: Data is protected using the Advanced Encryption Standard, 256-bit (AES 256) or higher. 

Compliance with Privacy and Security Standards 

Petal's policies and procedures are based on cybersecurity and privacy best practices, including compliance with the General Data Protection Regulation (GDPR). Petal holds the Service Organization Control 2, Type II (SOC 2 Type II) certification issued by the American Institute of Certified Public Accountants (AICPA), which verifies that a company has implemented and consistently maintained effective controls related to security, availability, and confidentiality.  

Petal undergoes rigorous annual audits to maintain its certifications and attestations of compliance, as well as data security for its clients. 

GDPR 

The GDPR empowers individuals to control how their personal data is collected, used, and stored by promoting transparency, legitimizing usage, and increasing privacy rights. Petal adheres to the requirements of the GDPR. 

Data Access Management 

Petal clients have control of their data and determine the type of permissions and roles assigned to their users. 

Personal Health Information 

To improve data protection, Petal limits the ability to save personal health information on local or personal devices. 

Highly Secure Cloud Environment 

To offer the highest level of security and confidentiality, data is hosted on the renowned Microsoft Azure cloud servers. 

Microsoft Azure complies with the highest domestic security standards, including several international standards and certifications, such as ISO/IEC 27001: 2022, ISO 27018, HDS, FedRAMP, SOC 1, 2 and 3, PCI DSS, GDPR, and HIPAA. 

Proven Security Measures 

Petal works constantly to prevent, detect, and respond to potential cyber-attacks or incidents. 

Petal's security policies and practices are based on the industry’s best standards, including ISO 27001, NIST, and OWASP for application security. 

Incident Management 

Petal follows a comprehensive management process in the event of an incident, outage, or privacy breach. 

Rigorous Vulnerability Management 

Petal integrates security throughout the software development lifecycle (Secure Software Development Life Cycle; S-SDLC) to identify and remediate vulnerabilities early and effectively. Security assessments occur at every development stage to meet compliance with secure practices. 

Staff Training 

Petal maintains a rigorous, perpetual staff training program to ensure that all employees uphold the highest security and privacy standards. All new hires undergo background checks and receive mandatory, role-specific training covering topics such as data protection, access management, digital best practices, and incident prevention.