Information Security & Privacy Commitment

Last Updated: October 24, 2025

Our Mission

Viscera Health’s mission is to remove the administrative burden from providers, maximize reimbursement, and empower doctors to bring their full focus to patient care.

Privacy & Security

At Viscera Health, we ensure our technology and operations comply with HIPAA and U.S. privacy laws. We prioritize trust by embedding privacy and security into our product design, business operations, and culture.

Leadership and Accountability: CISO & DPO Oversight

Viscera Health’s information security and privacy programs are headed by James D.Grisham, the Chief Information Security Officer (CISO) and Data Protection Officer(DPO). He has extensive experience in healthcare compliance and cybersecurity.Grisham's responsibilities include:

• Managing enterprise risk, HIPAA compliance, and incident response.
• Ensuring ethical handling of Protected Health Information (PHI) and personallyidentifiable information (PII).
• Acting as the main contact for security and privacy inquiries from customers,auditors, and regulators.
• Reporting to the CEO to prioritize data protection at the organizational level.

This dual role enhances Viscera Health's commitment to transparency, accountability, and ongoing improvement in data protection.

Key Pillars of Our Security & Privacy Program

• HIPAA-Aligned Security Architecture
  ManagWe implement encryption for data in transit and at rest, robust identity management, and enterprise-grade access control to ensure the confidentiality, integrity, and availability of PHI.ing enterprise risk, HIPAA compliance, and incident response.
• Access Control & Authentication
  Role-based access, least-privilege enforcement, and multi-factor authentication (MFA) protect all sensitive systems. All privileged access is logged and periodically reviewed.
• Network & Infrastructure Security
  Our systems operate within secure cloud environments featuring network segmentation, intrusion detection, and vulnerability management. We perform regular penetration testing and risk assessments to validate our defenses.
• Vendor & Subprocessor Oversight
  All third-party partners are vetted through formal due diligence and risk assessments. Subprocessors must sign Business Associate Agreements (BAAs) and meet or exceed our HIPAA-aligned standards.
• Employee Training & Security Culture
  Every employee completes annual training on cybersecurity, privacy, and HIPAA awareness. Continuous education and simulation exercises foster a security-first culture across the organization.

Our Pillars Are Designed For:

1. Data minimization and purpose limitation
2. Transparent consent and disclosure practices
3. Support for individual rights under HIPAA: access, amendment, & accounting of disclosures

HIPAA Alignment

Viscera Health aligns with the HIPAA Privacy, Security, and Breach Notification Rules to ensure that all PHI is handled securely and responsibly. We execute BAAs with covered entities and vendors that manage PHI, maintaining contractual and operational safeguards consistent with federal requirements. As reflected on viscerahealth.com, our platform is built with “HIPAA-Grade Security and enterprise-level data protection.”

Transparency Powered by Vanta

Our Governance, Risk, and Compliance (GRC) portal are powered by Vanta.

Customers and partners can request access to our Vanta Trust Center to review real-time compliance evidence and policies, verify certifications and security controls, and subscribe to updates.

Continuous Improvement

Security and privacy are dynamic disciplines. Wecontinuously monitor, assess, and enhance our controls through ongoing risk assessments, third- party reviews, and executive oversight. Our leadership ensures proactive adaptation to emerging threats and evolving regulatory requirements.

Contact

For questions regarding Viscera Health’s Information Security or Privacy programs, or to request access to our Vanta Trust Center, please contact: security@viscerahealth.com