PineReport holds the most sensitive data your camp has: medical incidents involving minors. Here's exactly how we protect it, who has access, and where it lives.
Every byte of camp data is encrypted in transit and at rest. Photos and medical fields use an additional layer of envelope encryption.
PineReport uses industry-standard encryption at every layer of the stack. There is no path through the system where camp data is unencrypted.
Counselors see what they create. Directors see their camp. PineReport employees see nothing without explicit, audited reason.
Customer-facing access: Every account uses role-based access controls. Medical incident details require explicit permission and aren't visible to general staff by default. Every record view is logged in the audit trail.
Employee access: No PineReport employee has standing access to customer data. Production access requires explicit time-bounded grants tied to a specific support ticket, approved by a second engineer, and logged in our audit system. Direct database access is restricted to two senior engineers and requires bastion VPN + hardware key + just-in-time approval.
Authentication: SSO (SAML 2.0 + Google Workspace) on Standard and Large tiers. Multi-factor authentication required for all director and admin accounts. Session tokens rotated on every privilege escalation.
Audit logging: Every access to a medical record is logged with timestamp, user, IP, and reason. Logs are retained for 7 years and tamper-evident (signed hash chain). Camp admins can review their full audit log at any time.
While most camps aren't HIPAA covered entities, PineReport handles medical incident data with HIPAA-aligned safeguards.
Most summer camps fall outside HIPAA's definition of a covered entity. But the data — minor injury reports, medication notes, parent communication about medical events — has the same sensitivity. We treat it that way.
HIPAA-aligned handling means encryption, access controls, audit logging, breach notification, and minimum necessary access — applied to medical incident fields specifically. The technical and administrative safeguards mirror what we'd implement for a covered entity.
If your camp operates a healthcare-adjacent program (camps run by hospitals, camps for campers with chronic conditions, day programs reimbursed by insurance) you may need a Business Associate Agreement (BAA). Full BAA-backed HIPAA hosting is available on request as an add-on, running on OVHcloud's HIPAA-attested US datacenters. Talk to us during onboarding and we'll set up the right configuration for your program.
Reviewed by camp insurance counsel; available on request as an add-on for camps whose workflow touches HIPAA-covered records. Provisioned on OVHcloud's HIPAA-attested US datacenters.
From CCPA to PIPEDA to Quebec's Law 25 — PineReport meets your jurisdiction's privacy requirements, including the strict ones.
United States. PineReport complies with state privacy laws including CCPA/CPRA (California), Texas, Colorado, Connecticut, and Virginia. We do not sell or share personal information for any purpose. State-specific data subject rights (access, deletion, portability) are supported through your camp's admin dashboard.
Children's privacy (COPPA). PineReport is not a child-directed service. Campers do not interact with the product, do not have accounts, and do not provide information directly. Counselors log records about campers, analogous to a school records system. The data controller is the camp, with parent consent obtained at registration.
Canada — PIPEDA. Federal compliance with all ten fair information principles. Designated privacy officer at PineReport Inc. Privacy impact assessments documented for major product changes.
Quebec — Law 25. Fully supported. Privacy impact assessments on file. Cross-border transfer impact assessments documented. 72-hour breach notification commitment. French-language consent templates and customer agreement available.
Alberta & British Columbia — PIPA. Provincial breach notification thresholds tracked. Compliance documented in our DPA.
Parent consent. Your camp remains the data controller; PineReport is the processor. We provide a ready-to-use consent paragraph (English and French) for your registration paperwork. Parents direct access requests to your camp; you fulfill them using PineReport's admin tools.
Camp data is hosted in Canada by default and does not leave the region, except for the optional HIPAA add-on described below.
Canadian residency is baked into our architecture, not a retrofit. Every camp's data — including backups and processing — is hosted in Canada by default.
Every third-party service we use to deliver PineReport. Updated when anything changes; notification sent to customers 30 days in advance.
A sub-processor is a third party that touches customer data on our behalf. We keep the list short on purpose; every addition has to clear a security review.
Notification policy: Customers get 30 days' advance notice for new sub-processors. Critical changes (region, vendor replacement) are communicated by email to the camp admin and posted to status.pinereport.com.
Where we are on the certification roadmap. Audit reports available under NDA for prospective customers.
This is PineReport's own organization-level audit, separate from our infrastructure provider's. Audit period began January 2026; report expected Q4 2026. Conducted by an AICPA-registered firm. SOC 2 Type I report available now under NDA. The Type II report covers a 12-month observation of our security, availability, and confidentiality controls.
PineReport runs on OVHcloud, whose infrastructure holds an SSAE18 Type 2 SOC 2 attestation (security, availability, and confidentiality) alongside ISO 27001. This covers the underlying compute, database, and storage layer your data sits on today, independent of our own organization-level audit above.
Type I report covering controls as of a single point in time. Available to prospective enterprise customers under a mutual NDA, typically as part of procurement due diligence.
Available on request as an add-on for healthcare-adjacent camps, hosted on OVHcloud's HIPAA-attested US datacenters with a signed BAA. Technical and administrative safeguards reviewed against the HIPAA Security Rule.
Compliance with Canadian federal and provincial privacy laws documented in our Canadian DPA, including Quebec's Law 25 (effective September 2023). Privacy impact assessments on file.
Our incident response process, breach notification commitments, and where to report a vulnerability.
24/7 monitoring. Automated alerts on security anomalies, including unusual access patterns, failed authentication spikes, and infrastructure changes outside expected windows.
Incident response team. A trained on-call engineer is reachable within 15 minutes for any priority-1 incident. Severity classification is automated; engineering leadership is paged for any incident that may involve customer data.
Breach notification commitments:
Report a vulnerability. Email security@pinereport.com. We acknowledge reports within 24 hours and credit responsible disclosure researchers in our security hall of fame.
Everything your IT, legal, or insurance team needs. Most documents available immediately; a few require an NDA.
Data Processing Agreement covering subprocessors, breach notification, retention, audit rights. US and Canadian versions.
Download PDF →Business Associate Agreement template for HIPAA-adjacent camps. Negotiable; we'll work with your counsel.
Request template →Independent auditor's report on controls as of a point in time. Available to prospective customers under NDA.
Request access →Pre-completed CAIQ, SIG Lite, and VSA questionnaires for procurement review. Saves your team hours.
Download package →Standard public documents. US and Canadian versions. French version available for Quebec camps under Bill 96.
View documents →Have a specific question or compliance requirement? We'll get the right engineer or counsel on a call within 48 hours.
Contact security →