Our Security Posture

We hold ourselves to the standard we manage.

Our clients get asked hard questions about security, so we answer the same questions about ourselves — unprompted. Below is our completed vendor disclosure. If your diligence process needs it in your own format, we'll complete your questionnaire.

Do you access, store, or process PHI?

No. We handle documentation and coordination only. Our engagement terms prohibit clients from sending us PHI, and our intake process screens for it. If PHI reaches us in error, we delete it and notify the client.

Do you access client production systems?

No. We never install software or receive production credentials. Where we need to see client documentation systems, we work through least-privilege guest accounts that the client creates, controls, and can revoke at any time.

How is access to your own systems controlled?

Multi-factor authentication is enforced on every business account. All client work happens under our business domain — we do not use personal email accounts or personal file storage for client material.

How is client data stored and protected?

Client documents live in the client's own systems wherever possible. Material we hold is kept in access-controlled business cloud storage, encrypted in transit and at rest by the provider, and separated per client — no shared workspaces across clients.

What happens to our data when the engagement ends?

We return or delete client material at termination, at the client's choice, and confirm in writing when deletion is complete.

What third-party services touch data from this website?

Form submissions on this site are processed by HubSpot (our CRM). We do not sell or share visitor data with anyone else. See our Privacy Policy for details.

How do you handle security incidents?

If we become aware of an incident affecting a client's material, we notify that client without undue delay — no later than 72 hours after we confirm it — and cooperate fully with their response.

Will you complete our vendor security questionnaire?

Yes. Send it to support@earlymorninghealth.com and we'll return it on our standard response timeline. This page is our standing disclosure — published before anyone asked, because that is the posture we build for clients.

The short version

No PHI. No production access. No software installs.
MFA everywhere, per-client separation, client-controlled guest access.
Your documents stay in your systems wherever possible.
Everything returned or deleted at the end of the engagement.
Security questions: support@earlymorninghealth.com