Security & Privacy

You entrust us to keep highly sensitive patient information private, and we never take that trust for granted. That’s why we use the most stringent security protocols, so Kalix meets all government privacy and security requirements.

Start My Free Trial

We’re Serious About Security

Here at Kalix, we take HIPAA and other security regulations very seriously. We have the most stringent procedures and cutting-edge technology in place, making sure Kalix meets government privacy and security requirements. Here you will find the policies that you are subject to:

Terms & Conditions

Privacy Policy

  • Kalix & HIPAA

    Health Information Portability and Accountability Act (HIPAA) of the United States requires healthcare providers and their business associates (like Kalix) to establish and follow procedures and practices that ensure the confidentiality and security of patient Protected Health Information (PHI) when it is transferred, received, handled, or shared. The HIPAA privacy and security provisions are broadened by the Health Information Technology for Economic and Clinical Health Act (HITECH).

    Kalix is compliant with HIPAA and HITECH, which means customers can rest easy knowing we have the highest standards of security in place to protect PHI.

  • Business Associate Agreement (BAA)

    All paying users in the United States enter into a Business Associate Agreement (BAA) with Kalix. A BAA is a legally binding relationship between covered entities (healthcare providers) and business associates (Kalix) to ensure the complete protection of PHI.

  • Data Storage

    We host Kalix using a HIPAA compliant cloud storage provider located in the US. All data is stored in triple redundancies in two data centers 500 miles apart.

  • Notice of Privacy Practices

    Healthcare providers must distribute a Notice of Privacy Practices on treatment commencement to all patients. This notice must explain how they collect, handle and disclose PHI, including any EMR system use. Example Notice of Privacy Practices forms are available as part of Kalix’s Template Library.

    Start My Free Trial
  • Australian Privacy Principles

    Kalix follows the Australian Privacy Principles (APP) that describe how businesses including healthcare providers can collect, use, and disclose personal information. Customers can rest easy knowing we have the highest standards of security in place to protect patient personal information.

  • Data Storage

    We host Kalix outside of Australia on Windows Azure servers located in the USA. The Australian Privacy Principle 8 (APP 8) applies when personal information is disclosed overseas. APP 8 allows for the processing and storing of personal data out of Australia if the overseas recipient takes reasonable steps to ensure there is no breach of the APPs. The following section describes how Kalix meets all 13 Australian Privacy Principles.

  • Informed Consent

    As per APP8, Kalix’s Australian customers should expressly inform and gain their patients’ permission before their personal information is entered into Kalix and disclosed overseas. Consent can be obtained verbally, but best practice recommends providing patients with a privacy statement that explains the potential consequences of giving consent. An example consent form is available as part of Kalix’s Template Library.

    Start My Free Trial
  • Personal Information Protection and Electronic Documents Act (PIPEDA)

    In Canada, several laws govern privacy rights and personal information, including seven provincial acts and one federal privacy law. The federal privacy law – Personal Information Protection and Electronic Documents Act (PIPEDA), describes how private organizations – such as private healthcare practices, collect, use, or disclose personal health information during their activities via the Ten Fair Information Principles.

  • Data and Privacy Agreement

    We request that all paying customers in Canada enter a Data and Privacy Agreement with Kalix. This agreement aims to ensure that both Kalix as a software vendor and our Canadian customers meet the Ten Fair Information Principles.

  • Data Storage

    We host, process, and maintain Kalix and the Personal Health Information provided through Kalix on Windows Azure servers located in the United States of America. It is not against PIPEDA and provincial laws for private organizations such as healthcare practices to transfer Canadian personal health information out of Canada; in fact, it is common practice.

  • Informed Consent

    It is the responsibility of our Canadian customers to expressly inform and gain the consent of all their patients before collecting, using, and disclosing their data. It is recommended to provide all patients with a Personal Health Information Consent to Disclosure Agreement that explains the potential consequences of giving consent. An example consent form is available as part of Kalix’s Template Library.

    Start My Free Trial
  • Kalix & New Zealand Privacy Policy 2020

    In New Zealand, the law that governs privacy rights and the collection, handling, and use of personal information is called the Privacy Act 2020. Kalix meets the requirements of the 13 privacy principles that make up this act.

  • Data Storage

    In New Zealand, Principle 12 (Cross-border Disclosure) applies when sending personal information outside New Zealand. Kalix is hosted on Windows Azure servers located in the United States of America.

    It is not against the Privacy Policy 2020 to transfer personal information out of New Zealand if the receiving party is subject to protections and safeguards equivalent to those in the NZ Privacy Act.

    Kalix and our cloud storage provider Azure are subject to HIPAA, HITECH, and other privacy/security laws of the United States of America. These provide comparable safeguards to the New Zealand Privacy Policy.

    Start My Free Trial
  • GDPR Compliance

    At Kalix, we understand the importance of maintaining the highest data security and privacy standards, especially for healthcare practices managing sensitive patient data. With the implementation of the General Data Protection Regulation (GDPR) in the European Union (EU), we have taken proactive measures to ensure full compliance with this regulation and have reinforced our commitment to providing secure, trustworthy, and transparent services to our clients in the EU.

  • Data Processing Agreement

    We request that all paying customers in the EU enter a Data Processing Agreement with Kalix. This agreement ensures that Kalix, the Processor, and our EU customers, the Controllers, meet the EU General Data Protection Regulation and other data protection laws.

  • Patient Consent

    Under GDPR, healthcare providers in the EU must obtain explicit consent from patients before transferring any data to a service such as an EMR hosted out of the EU. Kalix is hosted on the Microsoft Azure cloud in the United States. It is hence the responsibility of our EU customers to expressly inform and gain the consent of each of their patients before entering any of their data into Kalix.

    This requirement ensures that patients in the EU are aware of what information is being collected and how their data is being used, stored and shared. The GDPR also requires healthcare providers to inform patients of their rights to access, modify, or delete any personal data collected via Kalix.

  • Data Storage and Processing

    As part of our commitment to GDPR compliance, Kalix is hosted on the Microsoft Azure cloud in the United States. Microsoft Azure holds a wide-array of EU and international certifications and adherence to the GDPR, ensuring that your data is processed and stored securely within GDPR guidelines.

  • Data Protection

    Our primary obligation as a GDPR-compliant provider is to protect personal health information from unauthorized access, alteration, disclosure, or destruction. We have implemented a multi-layered security infrastructure to ensure high standards of data security, including:

    1. Strong encryption: We use industry-leading encryption techniques to protect your data, both during transmission and while it is stored within our system.
    2. Secure access controls: Our platform features role-based access controls, secure password policies, and multi-factor authentication options to restrict unauthorized access.
    3. Data backup and recovery: Regular backups are performed to ensure data integrity and availability, and a disaster recovery plan is in place to protect your data from unforeseeable events.

  • Data Subject Rights

    We acknowledge and respect the importance of data subject rights under the GDPR, and we are committed to upholding these rights for our users, including:

    Right to access: Your patients have the right to access their personal data held by Kalix, and we will provide the necessary tools to facilitate their data requests.
    Right to portability: You are entitled to request the transfer of your personal data to another provider of your choice.
    Right to erasure: We will process and execute data deletion requests, ensuring the complete removal of your patients’ personal information from our systems, subject to any legal requirements and retention periods.

  • Ongoing Compliance and Updates

    Keeping abreast of the latest data protection regulations and requirements is paramount to our commitment to GDPR compliance. Our team continuously monitors regulatory developments and works closely with legal advisors to ensure our platform stays up-to-date with the latest guidance from the EU.

  • Transparency and Communication

    In the unlikely event of a personal data breach or any other GDPR-related incidents, we are dedicated to providing you with timely and transparent communication. We understand the importance of working in partnership with you to prevent any potential risks to your data and ensure the highest level of data security.

    Start My Free Trial

PCI Compliant

Payment Card Industry (PCI) compliance refers to the standards to protect credit card data developed and managed by the PCI Security Standards Council.

Kalix never stores credit card information directly. When patients enter their credit card details into Kalix, they are actually saving them directly to our third-party providers – Stripe or Square. Both Stripe and Square are certified as PCI Service Providers Level 1 – this is the most stringent level of certification available in the payments industry.

Computer with clipboard holding a testing checklist

Security Safeguards

Your data is safe with us. We have the most rigorous security measures in place to protect your patient records. These include:


Empower My Practice
  • icon_img

    Kalix uses higher levels of encryption than the current standards, ensuring client records stay secure. All data is encrypted: In transit to and from the cloud using TLS (Transport Layer Security). In transit between Kalix and our third-party service providers. At rest (including all backup copies created by Kalix) using AES-256 encryption

  • icon_img
    Activity Logs & Snapshots

    Kalix keeps a snapshot of all modifications made to patient data. We record the time a change took place and the login that made the change. If a customer accidentally deletes saved information, we can recover it from a previous snapshot.

  • icon_img
    Monitoring for Suspicious Activity & Incident Notification

    Daily operational procedures are followed to log and monitor data 24/7, looking for suspicious activities Incident response process procedures are in place for containing any breaches and notifying customers if any incident occurs.

  • icon_img
    Recovery Plan

    Kalix has plans to address the recovery or continuation of technology infrastructure critical to our customers after a natural or human-induced disaster.

  • icon_img
    Kalix Staff Access Controls

    At Kalix, access controls are in place, meaning our staff cannot see PHI unless they are given the express permission of the account owner. Two Factor Authentication (2FA) is required with staff log into their work environment.

Secure Client Communication

Kalix customers can send secure, HIPAA-Compliant messages, forms & documents.

  • Minimum Necessary PHI

    Kalix's messaging and reminders feature limits PHI transmission to the minimum necessary. For example, only a patient's first name can be included in a message, not their full name or other identifying information.

  • Opt-In

    Messaging can be opt-in only, requiring patients to consent before receiving messages via Kalix. Furthermore, patients can opt-out of receiving messages at any time.

  • Secure Forms & Documents

    Kalix does not send client forms or documents via email, text-to-voice, or SMS. Instead, it uses a secure web link and a randomly generated code to unlock them. The forms or documents are viewed and completed within Kalix in an encrypted environment

  • Encrypted Email

    Kalix's email messages are encrypted in transit between Kalix and our third-party provider. Our HIPAA-compliant third-party email provider encrypts data at rest. When transmitting emails to patients and contacts, by default, our third-party provider uses TLS (Transport Layer Security). They also check the validity and legitimacy of the mail server's certificate.

  • HIPAA Compliant Fax

    Kalix's HIPAA-compliant faxing is achieved by using the SIP trunking protocol and encryption. This combination of features makes it possible to fax sensitive medical information without compromising the security of the information. HIPAA-compliant faxing is an essential part of maintaining the confidentiality of client information.

  • SMS & Text-to-voice Messaging

    Kalix's SMS (text) and & text-to-voice messaging are encrypted in transit between Kalix and our third-party provider. For privacy and security, our third-party provider does not store a record of your text and voice messages within their system.

Bug Bounties

We offer bug bounties for new, responsibly disclosed issues. If you have found something, please contact us at

Account Access Controls

Privacy and security are built into the Kalix platform, giving private practices powerful features to manage staff access and keep patient data safe.

Start My Free Trial
  • User Login History

    Kalix automatically records every login attempt to a Kalix account. These logs are available to account managers to monitor staff usage and identify any unusual behavior.

  • Password Protection & 2FA

    We require all customers to either register for a Kalix account using a verified email and password or single sign-on authentication (Google or Facebook). Two Factor Authentication (2FA) is available to provide an extra layer of security.

  • Unique User Logins For Group Practices

    Each user in a group practice has their own login to Kalix and is instructed on the risk of sharing access. Kalix's pricing is based on practice volume rather than the number of staff. Hence, adding new users to a Kalix account does not cost more.

  • Account Security Roles

    Kalix offers four user security roles to help account managers limit their staffs' ability to view & edit confidential information. Additional permissions can be customized per user, including access to patient documents, billing, and tasks.

  • Auto Log-out

    Kalix protects customers against accidentally leaving their accounts accessible to others on their unattended computers. Kalix automatically ends sessions when customers are logged into Kalix but not actively using the program for a set period.

Data Protection

Our customers maintain ownership of their patient data. Kalix is just its custodian. And we guarantee that patient data stays safe and secure with us!

Data Retention

When a Kalix account is canceled, we keep the customer's client information for six months. After this time, the data is destroyed for security purposes. If records need to be kept for data retention purposes, Kalix's Backup feature allows a copy to be created.

Disclosure to Third Parties

Except as specifically permitted by Kalix's Terms & Conditions, Privacy Policy, Business Associate Agreement and Kalix's Data & Privacy Agreement or required by law, we will not disclose personal health information to any third party without customers' prior consent.

No Marketing Promise

Kalix has a strict policy that prohibits marketing to your clients. And will not sell your data to any third parties.

Staff Access Controls

Kalix staff can only view customers' Kalix accounts and any entered client data after the account's owner has given them express permission. Kalix staff are also required to use two-factor authentication (2FA) for this access!

Free One
Month Trial

Whether you’re a solo or group practice, Kalix offers the right practice management solution and pricing plan that works best for your organization. With no commitments, no contracts, and free-to-cancel anytime, we help you scale your business at a cost that meets your needs.

Try it Now & See the Difference