Healthcare & Pharma
Your patient data never touches third-party JavaScript
Every vendor tag on a healthcare website has DOM access to the entire page — including patient portals, appointment forms, and condition-specific browsing data. Datafly Signal replaces all vendor JavaScript with a single first-party collector and delivers data server-side from your own infrastructure.
Zero
Vendor JS on page
No third-party scripts with DOM access to patient-facing pages
VPC
Your infrastructure
Single-tenant deployment in your cloud account
4 modes
PII handling
Hash, mask, strip, or pseudonymise — per field, per vendor
100%
Audit coverage
Every data access, every change, every delivery — logged
Why client-side tags are a compliance risk
Healthcare organisations face unique regulatory pressure. Third-party vendor tags create risks that no amount of consent management can fully mitigate.
DOM access to patient data
Every vendor JavaScript tag has full DOM access. On a healthcare site, that means potential exposure to appointment details, condition searches, prescription information, and portal credentials.
Data residency requirements
HIPAA, GDPR, and national health data regulations require strict control over where patient data is processed and stored. Multi-tenant vendor platforms cannot guarantee data isolation.
Audit trail requirements
Healthcare compliance demands a complete audit trail of every data access and transmission. Client-side tags send data directly to vendor servers with no visibility or control.
Deploy in your VPC. Control everything.
Datafly Signal deploys as a single-tenant cluster in your own cloud account. Patient data never leaves your infrastructure until you explicitly deliver it — hashed, masked, or stripped — to an approved destination.
Single-tenant VPC
Deploy on GCP, AWS, or Azure via Helm charts. Kubernetes or Docker Compose. Your cloud account, your network, your encryption keys. Datafly has zero access.
- Customer-hosted Kubernetes or managed service
- Data never leaves your VPC until you approve delivery
- Full network isolation per deployment
Automatic PII protection
Four PII handling modes applied per field, per vendor — before any data leaves your infrastructure. No manual configuration per destination.
- SHA-256 hash — for matching without exposing data
- Mask — partial redaction for operational visibility
- Strip — complete removal before delivery
- Pseudonymise — reversible tokenisation for research
Complete audit trail
Every configuration change, every data delivery, every user access — logged with before/after diffs, timestamps, and user attribution. Immutable and exportable.
- Before/after diffs for every change
- User attribution with IP and timestamp
- Exportable for compliance review
PII handling built into every pipeline
Patient email is SHA-256 hashed for ad platform matching, phone is hashed, name is completely stripped, and IP is masked — all automatically before any data leaves your infrastructure. Consent is enforced at both collection and delivery time.
- Per-field PII rules applied before vendor delivery
- Double consent enforcement (client + server)
- No patient names ever leave your infrastructure
- IP masking for analytics without geolocation exposure
# Patient Journey Pipeline
event: appointment_booked
source: web
org_data_layer:
schema:
- field: properties.service_type
type: string
required: true
- field: properties.location_id
type: string
pii:
- field: context.traits.email
action: sha256
- field: context.traits.phone
action: sha256
- field: context.traits.name
action: strip
- field: context.ip
action: mask
consent:
required: [analytics, marketing]
pipelines:
- name: google_ads
integration: google-ads-enhanced-conversions
event_name: appointment_booked
mapping:
- source: context.traits.email_hash
target: user_data.sha256_email_address
- source: properties.service_type
target: custom_variables.service_type
- name: analytics
integration: google-analytics-4
event_name: generate_lead
mapping:
- source: properties.service_type
target: params.item_category
- source: properties.location_id
target: params.location_idCompliance by architecture, not by policy
Instead of relying on vendor promises about data handling, Signal gives you architectural guarantees — your data, your infrastructure, your encryption keys.
Regulatory frameworks supported
- HIPAA — data never leaves your VPC
- GDPR — full data residency control, DSAR support
- CCPA — consent enforcement and data deletion
- NHS Data Security & Protection Toolkit
- ePrivacy Directive / PECR
Enterprise security
- AES-256-GCM encryption at rest
- TLS 1.3 encryption in transit
- Envelope encryption with your cloud KMS
- Zero-downtime key rotation
- 5 RBAC roles with least-privilege design
Frequently asked questions
- How does Datafly Signal address HIPAA concerns with web tracking?
- Patient health information classifications are stripped at the Signal Core before any vendor delivery. The platform itself runs single-tenant in your own VPC, meaning patient data never traverses Datafly's infrastructure. Compare this with the Meta Pixel and gtag.js controversies of recent years where third-party scripts on hospital and pharma sites were found exfiltrating PHI to ad platforms — Datafly Signal eliminates that category of risk by keeping all event collection inside your covered-entity boundary.
- Does Datafly support BAAs (Business Associate Agreements)?
- Datafly Ltd does not need a BAA because the platform runs in your VPC and Datafly never accesses your event data. The cloud provider (AWS, GCP, Azure) is the relevant Business Associate, and they all sign HIPAA BAAs. The single-tenant architecture is what makes this defensible — multi-tenant SaaS analytics platforms (Adobe, GA4 unmodified, Segment) cannot offer the same posture without significantly more configuration scrutiny.
- Can we still use Meta CAPI and Google Ads for marketing without HIPAA exposure?
- Yes, with the right transforms. PHI fields (diagnosis codes, condition mentions, prescription data) are stripped before delivery. Aggregate or non-identifying signals (general site visits, completion of "request more information" forms) can be sent. The Org Data Layer's field-by-field classifications make the line between HIPAA-protected and non-protected data explicit and auditable, which is what your compliance review actually needs.
- How does this work with our patient portal authentication?
- Datafly.js does not load on authenticated portal pages by default in healthcare deployments. The pre-login marketing site (provider directory, service descriptions, appointment booking flows) uses Datafly Signal for measurement; post-login portal pages either skip the collector entirely or use it with a strict allowlist of non-PHI events. The deployment pattern is part of the standard healthcare configuration.
- How do we handle GDPR for EU operations alongside HIPAA?
- Multi-region single-tenant deployments isolate EU customer data in EU infrastructure with EU-only vendor endpoints, while US deployments handle HIPAA. Per-region pipeline configurations allow the same product team to manage both compliance regimes through one interface. Audit logs are retained per the longer of the two applicable retention requirements.
Related
PII Handling
How sensitive patient data is classified, hashed, masked, or stripped at the Signal Core.
Trust
Datafly's certifications, security posture, and procurement-ready compliance documentation.
Consent Mode v2
Server-side consent enforcement with per-event audit, designed for regulator scrutiny.
Industries: Financial Services
Same single-tenant architecture, different compliance regime — the patterns are similar.
Ready for HIPAA-ready server-side tracking?
Book a technical walkthrough with our engineering team. We'll show you the VPC deployment, PII handling pipeline, and audit capabilities — in your environment.