Empathiq is designed to support organizations with high regulatory and operational standards. We maintain compliance with critical data protection and privacy frameworks by leveraging audited infrastructure partners and adhering to best practices in data governance.

HIPAA Compliance

Our Script feature is delivered through a secure, enterprise-grade integration with Typeform—a HIPAA-compliant service provider.

• PHI Protections: Protected Health Information (PHI) is never stored or accessed by Empathiq. All PHI is processed exclusively through Typeform’s encrypted, compliant systems.

• Business Associate Agreement (BAA): Clients may request and sign a BAA directly with Typeform. We facilitate this process upon request.

• Form Security: All form responses are encrypted in transit and at rest, with strict access controls applied to HIPAA-covered components.

SOC 2 Type II Certification

Empathiq’s Platform and Knowledge Base are powered by Supered, which maintains SOC 2 Type II certification with zero exceptions.

• Annual independent audits of controls and infrastructure

• Verified controls for security, availability, and confidentiality

• Tenant-level data isolation and encryption enforced across the platform

GDPR Compliance

Empathiq is committed to GDPR compliance across all customer data touchpoints.

• All subprocessors operate in accordance with GDPR and provide Standard Contractual Clauses (SCCs) where applicable.

• Our infrastructure partners (AWS, Fly.io, and Typeform) are fully GDPR-aligned.

• Data Subject Requests (DSRs) can be submitted to: hello@getempathiq.com

Business Associate Agreements (BAA)

We facilitate HIPAA compliance through our Script solution, but Empathiq itself does not process or retain PHI.

• Who signs the BAA?: Clients sign directly with Typeform, our secure form partner.

• Empathiq’s role: We support the deployment and maintenance of the Script feature but do not have access to form responses unless explicitly authorized.

Subprocessors & Data Residency

A full list of subprocessors is available on our Subprocessors page. Our core application and backup systems are hosted in secure U.S. regions.

• Empathiq never sells user data.

• All subprocessors are contractually bound to maintain data security and confidentiality.

For more information on compliance documentation, audit reports, or to request a BAA facilitation, contact us at compliance@getempathiq.com.