Security and compliance, engineered in.

A signed BAA, SOC 2 Type II, encryption everywhere, US-based hosting, and full audit logging. Ghost Metrics is built so protected health information is safe at every layer.

Signed BAASOC 2 Type IIAES-256 & US-hosted
your-practice.ghostmetrics.io / security-compliance
Security & compliance overview (controls, audit log)

PHI is filtered before it is stored.

Our pipeline strips and hashes identifiers at the edge, so protected health information never lands in our database. The strongest safeguard is simply never holding it.

Edge redaction of IPs, URLs & fields
Encryption with AES-256 at rest
TLS 1.2+ in transit, US-hosted

Controls your auditors will trust.

Role-based access, granular audit logs, and a signed BAA on every plan give your compliance and security teams exactly what they need to sign off.

Role-based access controls
Granular, exportable audit logs
Signed BAA & SOC 2 Type II
The Ghost Metrics activity log: timestamped admin and configuration events

Protection at every layer.

The safeguards healthcare requires, included by default.

Signed BAA

A real Business Associate Agreement on every plan.

PHI stripped at the edge

Identifiers are redacted before anything is stored.

AES-256 encryption

Encrypted at rest and with TLS 1.2+ in transit.

100% US-hosted

Hosted entirely within US-based infrastructure.

Audit logs

Granular, exportable logs of every data access.

SOC 2 Type II

Independently audited security controls.

Security & compliance, answered

How is PHI kept safe?
Protected health information is filtered and hashed at the edge before storage, so it never enters our database. Combined with a signed BAA, that keeps you compliant.
Are you SOC 2 audited?
Yes. We have a SOC 2 Type II report from an independent auditor, in addition to our HIPAA posture and 100% US-hosted infrastructure.
Where is data stored?
Entirely within US-based infrastructure, encrypted with AES-256 at rest and TLS 1.2+ in transit.

Ghost Metrics follows HHS guidance

Federal guidance lays out a compliant path for website tracking: route it through a vendor that signs a BAA, strips the PHI, and shares only de-identified data downstream. That vendor is Ghost Metrics.

“…the regulated entity can choose to establish a BAA with another vendor, for example a Customer Data Platform vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA.”
U.S. Department of Health and Human Services seal
U.S. Department of Health & Human ServicesOffice for Civil Rights · HIPAA online tracking guidance

Quoted from public HHS guidance. Ghost Metrics is not affiliated with or endorsed by HHS.

Built for the standards healthcare demands.

See how Ghost Metrics keeps PHI safe at every layer.