Is Platform.sh HIPAA compliant?

Featured image

Share this article

Is Platform.sh HIPAA Compliant? - Paubox

When it comes to building and launching a website, there are countless options and approaches available.

For people who aren’t familiar with servers, code, and web design, companies like Squarespace, Weebly, and Wix provide easy-to-use site design tools. But for people who are steeped in web technologies (or who have technical staff), outfits like Fortinet provide a blank slate upon which almost any site or application can be built.

Finding the right webhost is more complicated for healthcare organizations, however, as covered entities need to have a HIPAA compliant website. And some of the most popular web hosting companies are not HIPAA compliant.

What is Platform.sh?

The approach that Platform.sh takes to web hosting is in its name.

Founded in 2010 by serial entrepreneur Frédéric Plais, the French technology company positions itself as a “platform as a service” company that “delivers everything your team needs to build, run, and scale sites and apps.”

The company has raised over 30 million Euros and today serves more than 65,000 developers working for over 5,000 clients worldwide, including Unity, Pinterest, Orange, and The Economist.

“With Platform.sh, organizations can focus 100 percent of their time on building amazing experiences—and zero time managing infrastructure,” the company says.

Instead of promoting a proprietary design interface, Platform.sh supports WordPress and Drupal content management systems. The company provides:

  • Production cloud hosting
  • Multicloud support: AWS, Microsoft Azure, Orange, Google, and regional partners
  • The ability to run code without modifications between regions and clouds
  • The ability to scale on-demand with 99.99% uptime

What does Platform.sh say about security?

Platform.sh advertises “24×7 data security and privacy” and has a web page dedicated to security and compliance.

“We’re compliant with the European GDPR, German BDSG, Canadian PIPEDA, and the Australian Privacy Act,” the company notes, adding that it uses TLS encryption for data in transit and conducts an annual SOC 2 Type 2 examination for security and availability.

Platform.sh also says it maintains PCI DSS Level 1 compliance for its platform when hosted on Amazon Web Services, Microsoft Azure, or Google Cloud Platform.

What about HIPAA?

Unfortunately, the company’s impressive list of security credentials does not include HIPAA. And while Platform.sh will provide a data processing agreement under GDPR and BDSG, it does not offer a business associate agreement.

HIPAA is mentioned in a 2018 blog post by its CEO titled “What does it take to adapt your SaaS offering to meet enterprise requirements?”

“Every enterprise organization comes with its own requirements: ISO 27001, GDPR in Europe, SOC1, SOC2, PCI for e-commerce/transactions, HIPAA for healthcare, FedRAMP for government,” Plais writes. “These are critical, mandatory, or reassuring quality points for large enterprise customers currently managing businesses in a world where security threats have never been so pervasive and challenging to combat.”

But as far as HIPAA compliance from Platform.sh itself, the only information we can find is a PDF titled, “Platform.sh White Label Cloud Experience for Agencies & Software Vendors.”

“In Q1 2018 we will achieve GDPR and PCI level 1 compliance, followed by ISO 9000, ISO 27001, SOC 2, HIPAA and FedRAMP,” the document reads.

Unfortunately, it doesn’t appear as if that goal was fully achieved.

Is Platform.sh HIPAA compliant?

Although the company and its leadership are familiar with international security and privacy requirements and complies with various European laws, Platform.sh does not appear to be a HIPAA compliant web host.

We should also note that the email options available from Platform.sh are fairly limited, and are not suitable for sending HIPAA compliant email.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Ryan Ozawa

Read more by Ryan Ozawa

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022