Book a Strategy Call

Security & Compliance

HIPAA. GDPR. NDA. Checkr. Continia. These are not marketing checkboxes — they are operational requirements that every THC engagement is built around. Here is exactly what our compliance framework looks like.

HIPAA CompliantGDPR ReadyNDA FirstCheckr VerifiedEncrypted Comms

How We Think About Compliance

Compliance is the floor of the engagement, not a feature of the marketing.

Most virtual assistant platforms treat compliance as a marketing claim — a list of badges on the website that suggests sophistication without actually constraining how the work gets done. The Human Capital operates from the opposite premise: the compliance framework is the floor on which every engagement is built, and the operational choices that flow from it determine what work the VA is allowed to touch, how access is granted, and what happens when something goes wrong.

For healthcare engagements, that means a Business Associate Agreement signed before any system access, a VA who has completed HIPAA training before placement, role-based access that limits the VA to the minimum necessary information for their scope, and the practical requirement that every healthcare-engaged VA has worked through the difference between PHI handling under HIPAA versus general administrative information. The BAA is not a document we sign and file — it is a binding constraint that shapes daily decisions.

For UK and EU engagements, the GDPR framework follows the same logic. THC operates as a data processor under an Article 28-compliant DPA, with processing strictly limited to the documented scope of work. ICO-aligned data handling protocols, encrypted communication via Continia for sensitive document transfer, role-based system access, and explicit data retention and deletion procedures at engagement end are all in scope. For Gulf clients operating under DIFC, ADGM, or PDPL frameworks, additional jurisdictional considerations are documented during onboarding.

Background verification through Checkr happens for every VA placed by The Human Capital, with annual re-verification. The verification covers identity, criminal history, and stated employment history. For clients in regulated industries (healthcare, legal, financial services) where heightened verification is required, additional Checkr verification packages can be configured during onboarding. Verification results are available to clients on request and are maintained in our HR system per the data retention schedule in the engagement contract.

NDA is the front door of every engagement. A mutual NDA is signed before any system credentials are shared, any documents are reviewed, or any business-sensitive information is discussed in any direction. The NDA includes specific language around confidentiality of client data, prohibitions on subsequent disclosure, and the operational protocols that govern how the VA handles information learned during the engagement. NDA breaches are not an after-the-fact remediation conversation — they are a structural prohibition built into the engagement lifecycle from day one.

What this framework produces is not a competitive differentiator for marketing — it is the operational floor that lets us work with healthcare practices, law firms, financial advisors, regulated startups, and any other organization where the consequence of a compliance failure is meaningful. The compliance posture is the precondition for the work, not a feature of it.

Healthcare

HIPAA Compliance

  • Signed BAA with every healthcare client
  • HIPAA training completed before placement
  • PHI access limited to authorized, compliant systems
  • Audit trail available on request
  • Incident reporting protocol per HIPAA Breach Notification Rule

All healthcare-facing VAs complete HIPAA training before any client placement. Training covers the Privacy Rule, Security Rule, Breach Notification Rule, and the specific administrative, physical, and technical safeguards required for handling Protected Health Information (PHI).

Every healthcare engagement includes a signed Business Associate Agreement (BAA) between The Human Capital and the covered entity. Our VAs never access, transmit, or store PHI without explicit client authorization and within systems that meet HIPAA technical safeguards.

Healthcare VAs work within your HIPAA-compliant practice management systems (e.g., Kareo, Athenahealth, EHR platforms). They do not transfer patient data to third-party systems without authorization. Access logs are maintained and available to the covered entity on request.

UK & EU

GDPR & UK GDPR Compliance

  • Article 28-compliant Data Processing Agreement
  • UK GDPR and ICO guidance alignment
  • Data minimization and purpose limitation protocols
  • Encrypted communication for personal data
  • DSAR support coordination with client controller

For UK and European clients, all THC engagements include a Data Processing Agreement (DPA) that meets Article 28 GDPR requirements. Our VAs operate as data processors on behalf of the client (the data controller), with processing activities strictly limited to the documented scope of work.

UK GDPR compliance follows ICO guidance for data processors. THC VAs do not process UK personal data outside of the systems and purposes defined in the DPA. Data subject access requests are managed in coordination with the client controller.

All communications involving personal data use encrypted channels. VAs are trained on data minimization principles, purpose limitation, and the rights of data subjects under GDPR Articles 15–22.

All Engagements

NDA & Confidentiality

  • NDA signed before any engagement begins
  • Covers business information, client data, trade secrets
  • Internal confidentiality protocols enforced
  • Secure credential management required
  • No client data shared with third parties

Every THC engagement begins with a signed Non-Disclosure Agreement before your first call. The NDA covers confidential business information, trade secrets, client data, financial information, and any other proprietary information shared during the engagement.

NDA enforcement is backed by the client's right to seek injunctive relief and liquidated damages in the event of a breach. THC maintains copies of all executed NDAs and can provide them on request.

Beyond the NDA, our ops manual includes internal confidentiality protocols for all VAs: no screenshots of client data, no third-party sharing of client information, and mandatory secure credential management using password managers (not personal email or plaintext storage).

All VAs

Checkr Background Verification

  • Criminal record search across relevant jurisdictions
  • SSN trace for US-based VAs
  • Sex offender registry check
  • Global watchlist screening
  • Annual re-verification for active VAs

Every VA placed by The Human Capital is verified through Checkr — the same background check platform used by Uber, Instacart, DoorDash, and Stripe. Checkr runs comprehensive checks including criminal record searches across relevant jurisdictions, SSN trace (for US-based VAs), sex offender registry, and global watchlist screening.

Background verification is conducted during the vetting process — before any VA is added to our qualified pool. No VA is placed with a client without a cleared Checkr report. This is non-negotiable regardless of how strong the candidate appears in other vetting stages.

Background check results are maintained on file by THC. Clients who require a copy of their VA's background check clearance for compliance purposes can request it. Re-verification is conducted annually for VAs who remain in active engagements.

Data Security

Encrypted Communication

  • Continia encrypted document handling
  • Business-grade password manager required
  • No sensitive data via unencrypted channels
  • Documented client system access
  • Immediate access revocation at engagement end

All communication involving sensitive client data uses encrypted channels. THC uses Continia for encrypted document handling and secure file transfer. Standard communication channels (Slack, email, Zoom) are used for day-to-day coordination — sensitive data is never transmitted through unencrypted channels.

VAs are required to use business-grade password managers for all client credentials. Credential sharing with non-team members is prohibited. All client system access is documented and can be revoked immediately at engagement end.

Device security requirements include current operating systems, enabled firewalls, encrypted storage, and locked workstations when not in use. VAs working with healthcare or legal clients have additional endpoint security requirements.

Compliance FAQs

Does The Human Capital sign a BAA for healthcare clients?

Yes. Every healthcare engagement includes a signed Business Associate Agreement (BAA) between The Human Capital and the covered entity. Our healthcare VAs complete HIPAA training before any placement.

What GDPR documentation do you provide for UK/EU clients?

We provide an Article 28-compliant Data Processing Agreement (DPA) for all UK and EU engagements. THC operates as a data processor on behalf of the client controller, with processing strictly limited to the scope of work.

Can I see my VA's background check results?

Yes. Clients who require a copy of their VA's Checkr clearance report for compliance purposes can request it. Results are maintained on file by THC and re-verification is conducted annually.

What happens to my data when the engagement ends?

All client system access is revoked immediately at engagement end. Client data stored in THC systems is deleted per the data retention schedule in our DPA/NDA. Credentials are removed from VA password managers within 24 hours of engagement termination.

Need Compliance Documentation?

Request our BAA template, DPA template, or VA background check results. We maintain full compliance documentation for every engagement and make it available to clients on request.

Book a Compliance Briefing Call