FoundationDx Privacy

FoundationDx is committed to protecting the privacy and security of data entrusted to us by healthcare organizations, including hospitals, clinics, and third-party security and analytics vendors. You may visit pages on our product site without providing personal information. Certain services, however, require data in order to operate effectively. This privacy statement explains how data is collected, used, processed, transmitted, and protected.

Role of FoundationDx

FoundationDx acts as a data processor / service provider, processing personal, sensitive, and API-sourced data solely on behalf of customers and strictly in accordance with contractual instructions, including Data Use Agreements (DUAs), Business Associate Agreements (BAAs), and Data Processing Addenda (DPAs), where applicable.

Collection of Personal Information

We collect personal information only when necessary to provide contracted services. This may include registration, account administration, customer support, and service authorizatione delivery. Personal information collected is generally limited to:

• Name
• Email address
• Organization or professional affiliation

Payment processing is handled exclusively by third-party payment providers. FoundationDx does not store or have access to credit card numbers or financial account information.

Registration

Registration may be required to enable secure access, authorize subscriptions, manage API credentials, and ensure services are delivered only to authorized users.

Use of Email Addresses

Email addresses are used strictly for:

• Account identification and authentication
• Service notifications, security alerts, and operational communications
• Subscription management and customer support

Control of Personal Information

FoundationDx does not sell, rent, or trade personal information. Disclosure occurs only when required by law, regulation, or legal process, or when necessary to protect the security and integrity of our services.

Protected Health Information (PHI)

When services involve Protected Health Information (PHI), FoundationDx complies with HIPAA and applicable state laws. PHI is processed only under executed Business Associate Agreements (BAAs) or equivalent legal instruments and is protected using administrative, technical, and physical safeguards aligned with industry standards.

Use of Cookies

Cookies may be used to support authentication, session continuity, and secure access. Cookies do not store PHI or sensitive personal information and may be disabled via browser settings.

Third-Party Services

This privacy policy does not apply to third-party services or payment providers that operate independently from FoundationDx. Customers are encouraged to review the privacy policies of those providers.

Data Obtained via Application Programming Interfaces (APIs)

FoundationDx services may ingest, process, or analyze data obtained through customer-authorized APIs, including healthcare systems, security platforms, identity providers, and analytics services.

• Authorized Access: API data is accessed only using credentials explicitly provided by the customer.
• Purpose Limitation: API data is processed solely to deliver contracted services.
• Data Minimization: Only required data elements are consumed or retained.
• Security: Encrypted transmission, access controls, and logical isolation are employed.
• No Unauthorized Sharing: API-derived data is not shared except as contractually authorized or legally required.
• Retention: Data is retained only as long as necessary to fulfill contractual or legal obligations.

API Data Use Summary

• Accessed: Customer-authorized API data only
• Used For: Healthcare analytics, security monitoring, reporting, modeling, and anomaly detection
• Protected By: Encryption, access controls, credential security, and audit logging
• Access Limited To: Authorized systems and personnel on a need-to-know basis
• Shared: Not shared with third parties unless explicitly authorized or legally required

GDPR Compliance (EU)

For customers subject to the General Data Protection Regulation (GDPR), FoundationDx acts as a data processor. Personal data is processed under lawful bases including contractual necessity and legitimate interests. Data subject rights—such as access, correction, deletion, restriction, and portability—are supported through customer-directed requests.

CCPA & CPRA Compliance (California)

For California residents, FoundationDx acts as a service provider under the CCPA and CPRA. We do not sell or share personal information for advertising purposes. Personal and sensitive personal information is processed only for permitted business purposes and subject to data minimization and purpose limitation principles.

Security Practices

FoundationDx employs administrative, technical, and organizational safeguards designed to protect personal, API-sourced, and regulated data against unauthorized access, alteration, disclosure, or destruction. Security controls are continuously reviewed and improved.

Policy Updates

This privacy policy may be updated periodically to reflect regulatory, operational, or security changes. Material updates will be posted on this page.

Last updated on Jan 8, 2025