Security & data handling
How we handle your data
Last reviewed:
1. What data we collect
VialWatch is an information and research service for pharmaceutical shortage intelligence. The platform collects and stores the following:
| Category | Examples | Source |
|---|---|---|
| Account data | Email, name, organization, role | You provide at signup |
| Watchlist data | Drugs you choose to track | You add via the dashboard |
| Sourcing requests | Drug name, urgency, requirements (Enterprise only) | You submit via the dashboard |
| API key metadata | Hashed key, label, last-used timestamp | You generate in Settings |
| Operational logs | API request paths, login events, IP at signup | Generated automatically |
| Public regulatory data | FDA shortages, recalls, approvals, manufacturer info | Pulled from public US government sources |
What we do NOT collect
- No Protected Health Information (PHI). VialWatch is not a clinical or patient-care system. We do not collect, store, transmit, or process patient identifiers, diagnoses, treatments, or any other PHI.
- No payment card data. Card numbers, expiration dates, and CVCs are entered directly with Stripe and never touch VialWatch infrastructure.
- No browsing or tracking cookies beyond session auth. No third-party analytics scripts on the dashboard.
2. Where data lives
VialWatch runs on US-based infrastructure:
- Application + database: Hostinger Premium Cloud (US datacenters), MySQL 8 with daily encrypted backups
- Payment processing: Stripe, Inc. (PCI DSS Level 1 certified)
- Email delivery: Authenticated SMTP via Hostinger Mail Servers (SPF, DKIM, DMARC published — verifiable at vialwatch.com DNS)
- DNS: Hostinger DNS, with HTTPS enforced via Let's Encrypt certificates
3. How data is protected
- In transit: All connections use TLS 1.2+ via HTTPS. HTTP requests are redirected to HTTPS at the edge.
- At rest: Database files reside on encrypted server storage. Backups are encrypted before retention.
- Authentication: Passwordless magic-link sign-in via single-use signed tokens. No passwords are ever stored. Session cookies are HMAC-signed with HttpOnly + Secure + SameSite=Lax flags.
- API keys: Stored as SHA-256 hashes only. The raw key is shown to you exactly once at creation; you can revoke or rotate any time. Default rate limit: 60 requests/minute per key.
- Email authentication: Outbound mail signed with DKIM (RSA-2048) and validated with SPF and DMARC. Independently scored 9/10 deliverability on mail-tester.com.
4. Compliance posture
HIPAA
Because VialWatch does not handle PHI, HIPAA Business Associate Agreements (BAA) are not required for typical use. If your organization's privacy team requires a BAA for any reason, contact us — we can discuss scope.
SOC 2 / HITRUST
Not currently certified. VialWatch is in private beta as of 2026, and we are evaluating SOC 2 Type II and HITRUST CSF for late 2026 / early 2027. We are happy to walk through specific security questionnaires (HECVAT Lite, SIG Lite, vendor risk assessments) for Enterprise customers on request — email contact@vialwatch.com.
HECVAT / Vendor risk
For health systems requiring a HECVAT or similar vendor security questionnaire, we maintain a current response and can share it under NDA with prospective Enterprise customers.
5. Independence & conflicts of interest
VialWatch does not accept payment, sponsorship, advertising, or any other commercial relationship from drug manufacturers, wholesale distributors, brokers, or group purchasing organizations in exchange for placement, ranking, or favorable mention in our briefs or alerts. This independence is enforced at the company level — there are no manufacturer-side equity holders, board observers, or commercial agreements.
6. Incident response
In the event of a security incident materially affecting customer data, we will notify affected accounts via email within 72 hours of confirmed detection, and post an incident report at vialwatch.com. We will also notify regulatory authorities as required by applicable state breach-notification laws.
7. Data retention & deletion
Account data is retained while your subscription is active. After cancellation or deletion request:
- Subscriber + watchlist + sourcing-brief data is deleted within 14 days
- Operational logs (API requests, email events) are retained for 180 days for security/audit purposes, then purged
- Stripe-side billing records are retained per Stripe's policy (typically 7 years for tax/financial reasons)
To request deletion, email contact@vialwatch.com from the address tied to your account, with subject "Data deletion request."
8. Subprocessors
Third-party services that handle data on our behalf:
| Subprocessor | Purpose | Data accessed |
|---|---|---|
| Hostinger International | Application hosting, MySQL, email delivery | All application data |
| Stripe, Inc. | Payment processing | Email, billing details |
| U.S. FDA (data source) | Drug shortage, recall, and approval data | None — we pull public data only |
9. Reporting a security issue
If you discover a security vulnerability or suspected breach, please email security@vialwatch.com (or contact@vialwatch.com if the security mailbox is unreachable). We acknowledge receipt within 24 hours and aim to remediate critical issues within 72 hours.
10. Contact & questionnaire requests
For HECVAT, SIG Lite, custom security questionnaires, or to request a copy of our incident response plan: email contact@vialwatch.com with subject "Security review."