Adopt a Center (logo) Adopt a Center (logo)
Save More Lives

Security and Privacy

4US is the operational platform for pregnancy help centers participating in machine delivery and reporting programs with 4US and the Knights of Columbus. We treat the data partner centers entrust to us as a serious responsibility. This page describes the controls in place to protect that data and the people behind it.

Secure infrastructure • Role-based access • Encrypted data • Aggregated, non-identifying operational data

Infrastructure and Hosting

The 4US partner portal runs on a two-layer infrastructure. The application is hosted in privately owned, certified data facilities; operational data is stored in Microsoft Dataverse on Microsoft Azure.

Partner portal application servers

Hosted in privately owned data facilities with the following safeguards and certifications:

  • Privately owned data facilities with 24×7 monitoring and controlled physical access
  • SOC 2 Type 2 certified
  • HIPAA-compliant hosting environment
  • Acronis-backed continuous data protection, replication, and disaster recovery

Operational data storage

Center information, contacts, monthly reports, and application submissions are stored in Microsoft Dataverse / Dynamics 365, hosted on Microsoft Azure:

  • ISO 27001, SOC 1, SOC 2, and SOC 3 aligned
  • FedRAMP- and HIPAA-eligible Azure environments
  • Tenant-scoped, logically isolated storage
  • Redundant infrastructure and environmental safeguards

Access Control

Access to internal 4US systems is granted on a least-privilege basis and reviewed regularly. Authentication and authorization are managed through Microsoft Entra ID and Dataverse security roles.

  • Multi-factor authentication enforced for all staff and administrative accounts
  • Conditional Access policies restrict logins by device, location, and risk
  • Role-based permissions enforced through Dataverse security roles, business units, and field-level security
  • Strong password requirements
  • Access is removed promptly when individuals leave the organization

Data Protection and Encryption

4US applies industry-standard encryption to protect data both in storage and in transit.

  • Data at rest - AES-256 encryption (SQL Transparent Data Encryption) within Microsoft Dataverse; encrypted backups on the partner portal layer via Acronis.
  • Data in transit - TLS 1.2 or higher for all external and inter-service connections, with certificates issued by a public Certificate Authority.

Aggregated Reporting and Limited Data Collection

The operational metrics we collect on behalf of partner centers - clients seen, scans performed, pregnancy tests, life-saving outcomes - are stored as aggregated monthly counts, not as individually identifiable patient records. 4US does not collect, store, or process personal health information about the individuals served at partner centers.

This is a deliberate design choice. By keeping client-level visit data out of the platform entirely, 4US reduces risk both for partner centers and for the people they serve.

AI Assistant

The 4US AI assistant helps partner centers interpret their own performance data and identify opportunities for improvement. It is built on the OpenAI API, with the following protections:

  • No personal data is sent to the AI. Only aggregated operational metrics and general center information are ever passed to the model.
  • Access boundaries are enforced. Users can only ask the assistant about centers they are authorized to see; the assistant inherits the same role-based permissions as the rest of the platform.
  • No model training on 4US data. Per OpenAI's API terms, prompts and outputs sent through the API are not used to train OpenAI's models.

Logging and Auditing

Dataverse auditing is enabled to log access, changes, and administrative actions on operational data. Logs are retained in accordance with applicable regulatory requirements and used for troubleshooting, anomaly detection, and incident investigation.

Business Continuity

  • Continuous backups of partner portal data via Acronis, with replication to a separate site
  • Automated point-in-time restore for Microsoft Dataverse operational data
  • Recovery procedures are reviewed and tested

Incident Response and Notification

4US maintains internal incident response procedures designed to identify, evaluate, and address security events in a timely manner. If a security incident affects partner data, affected organizations will be notified and provided the information necessary to support their own reporting and compliance obligations, consistent with applicable law.

HIPAA and Privacy Framework Alignment

While 4US is not legally subject to HIPAA, we voluntarily use HIPAA as a guiding framework for confidentiality practices. The platform was designed with HIPAA considerations in mind and includes controls that support organizations seeking to align with HIPAA-related privacy and security principles.

There is currently no certification program approved by the U.S. Department of Health and Human Services through which a cloud service provider can formally demonstrate HIPAA compliance.

Privacy Commitment

  • 4US will never sell partner center data or user data.
  • Partner data is not used for advertising or marketing to third parties.
  • 4US collects only the information necessary to operate its programs.

Shared Responsibility

Maintaining strong security is a shared responsibility between 4US and the centers we serve. Partners are asked to:

  • Use sufficiently complex passwords
  • Safeguard login credentials
  • Maintain appropriate security on local systems used to access the portal