Frequently Asked Questions
FirstWatch has been in the business of public safety and public health data for 28 years. In that time, technology has changed significantly. However, our commitment to transparency and data security has remained steadfast. Following are answers to some of the common questions we receive about our data practices. If you need further assistance, please reach out to your account manager or email Kevin Lee, director of engineering, at klee@firstwatch.net.
Data Retention & Storage
FirstWatch maintains a SOC 2 Type–2 attestation for our data centers. This is an independent audit of cybersecurity controls over an extended period, developed by the American institute of Certified Public Accountants. Additionally, FirstWatch adheres to the U.S. National Institute of Standards and Technology’s (NIST) cybersecurity framework to manage risk.
We implement role-based access control, unique user identification, and mandatory two-factor authentication for all systems containing protected health information (PHI). All data is encrypted both at rest (AES-256) and in transit (TLS 1.2 or stronger).
No. Customer data is never shared with or sold to third parties. Our customers retain full ownership of the data stored in our systems.
We have established incident response and notification procedures. In the event of a breach involving Protected Health Information (PHI), we notify affected individuals and the Department of Health and Human Services (HHS) in accordance with HIPAA regulations.
Yes. All FirstWatch personnel are required to participate in annual security, privacy, and HIPAA awareness training.
Yes. We perform regular, ongoing vulnerability assessments and engage third-party professionals for annual penetration testing to proactively identify and mitigate system vulnerabilities.
All of our services, including application hosting and data backups, are provided within the country of origin for our customers (e.g., the United States for U.S.-based customers, Canada for Canadian-based customers).
Data is retained according to customer requirements. Upon end-of-life, we sanitize, purge, or destroy data in accordance with NIST 800-88 standards to ensure it is unrecoverable.
Yes. We support standard authentication mechanisms, including single sign-on, multi-factor authentication (MFA), and integration with identity management systems like Microsoft Entra ID.
Yes. FirstWatch performs comprehensive pre-employment screening, including background checks, for all personnel with access to sensitive IT resources, data, or physical facilities.
Artificial Intelligence (AI) & Large Language Models (LLMs)
Yes, FirstWatch has moved beyond the development phase and is rolling out AI features to our customers as a standard component of our service suite.
Yes. Our AI processes are designed to be fully HIPAA-compliant. We apply the same rigorous security, data protection, and privacy standards to our AI-integrated services as we do to our core platform.
FirstWatch uses data strictly in accordance with contractual agreements and applicable regulations. We do not use your data for external AI training purposes that would violate privacy commitments or data ownership rights.
We maintain transparent documentation regarding our technology stack. Please refer to your AI Authorization documentation or contact our security team for specific questions regarding our AI deployment and security controls.
As AI is becoming a standard part of our service suite, please contact your account manager to discuss your specific operational requirements and configuration options.
Disclaimer
Last updated May 26, 2026. These answers are provided for informational purposes only. Please refer to your specific Master Service Agreement (MSA) and governing Privacy Policy for legally binding contractual commitments.
