Security

Privacy and Security Addendum

Baseline privacy and security commitments for the Pebble platform, including safeguards, access controls, subprocessors, incident response, and customer responsibilities.

Last updated: June 7, 2026

Privacy and Security Addendum

Last updated: June 7, 2026

Privacy and Security Addendum

This Privacy and Security Addendum (“Addendum”) supplements the Terms of Service or other written agreement between Growing Higher LLC (“Growing Higher,” “we,” “us,” or “our”) and the customer that uses the Pebble platform (“Customer”). This Addendum describes baseline privacy and security commitments for the Pebble platform.

If this Addendum conflicts with the Business Associate Agreement with respect to PHI, the Business Associate Agreement controls.

1. Platform Role

Pebble is a software platform for behavioral-health practice operations, including patient records, scheduling, documents, messaging, billing workflows, and patient portal features.

Growing Higher does not provide medical care, clinical advice, diagnosis, treatment, billing advice, legal advice, or compliance advice. Customer is responsible for clinical services, patient relationships, medical record content, patient notices, patient consents, billing decisions, payer submissions, and compliance with laws applicable to Customer’s practice.

2. Data Ownership and Use

Customer retains ownership of Customer Data. Growing Higher uses Customer Data to provide, maintain, secure, support, troubleshoot, and improve the Services, comply with law, enforce agreements, and fulfill customer instructions.

Growing Higher does not sell PHI. Growing Higher does not use PHI to train third-party or general-purpose artificial intelligence models unless Customer separately agrees in writing.

Growing Higher may use aggregated or de-identified information for analytics, operations, security, benchmarking, product improvement, and business purposes, provided the information does not identify Customer, Individuals, or other natural persons unless otherwise permitted by law and agreement.

3. Administrative Safeguards

Growing Higher maintains or will maintain administrative safeguards designed to protect Customer Data, including:

  • internal access management;
  • role-based access expectations for the Services;
  • policies or procedures for handling security events;
  • workforce confidentiality expectations;
  • vendor and subprocessor due diligence for PHI-relevant services;
  • incident response coordination;
  • security-conscious development practices; and
  • periodic assessment of access and security controls.

4. Technical Safeguards

Growing Higher maintains or will maintain technical safeguards designed to protect Customer Data, including:

  • authentication for workforce and patient portal access;
  • organization and patient scoping controls;
  • encryption in transit for production service traffic;
  • encryption at rest for production data stores where supported by the infrastructure;
  • private storage for uploaded documents and media;
  • audit logging for sensitive application actions where implemented;
  • infrastructure logging and monitoring;
  • secure configuration of production cloud resources;
  • backup and recovery controls; and
  • controls designed to prevent public access to private storage.

5. Physical and Cloud Infrastructure Safeguards

Pebble is hosted using cloud infrastructure and managed services. Cloud providers are responsible for physical data center controls under their service terms and compliance programs. Growing Higher is responsible for configuring and operating the Pebble application and cloud resources under the shared responsibility model.

Customer must not place PHI in staging, demo, local, support, or test environments unless Growing Higher expressly identifies the environment as PHI-capable.

6. Access Controls

Customer is responsible for:

  • designating an account owner or administrator;
  • inviting only authorized users;
  • assigning appropriate roles and permissions;
  • promptly removing users who no longer need access;
  • ensuring users keep credentials confidential;
  • protecting Customer-managed devices and networks; and
  • monitoring account activity and configuration.

Growing Higher may suspend access when reasonably necessary to protect the Services, prevent misuse, comply with law, address nonpayment, or respond to security risk.

7. Subprocessors

Growing Higher may use subprocessors to provide hosting, infrastructure, authentication, storage, security, billing, payment, claims, communication, monitoring, support, or professional services.

Growing Higher will require PHI-relevant subprocessors to maintain appropriate written privacy and security obligations, including business associate agreements where required by HIPAA.

Growing Higher maintains or will maintain a current subprocessor list or vendor register.

8. Incident Response

Growing Higher will maintain an incident response process designed to investigate, contain, mitigate, and remediate security events affecting the Services.

For PHI-related incidents, Growing Higher will provide notice to Customer as required by the Business Associate Agreement and applicable law.

Customer is responsible for notifying Growing Higher promptly if Customer suspects unauthorized account access, credential compromise, misdirected PHI, improper user access, or other security concerns involving the Services.

9. Data Export, Retention, and Deletion

Customer is responsible for exporting Customer Data before cancelling an account where export is available and needed for Customer’s records.

After termination or cancellation, Growing Higher may retain Customer Data as needed for legal, contractual, security, backup, audit, dispute, tax, billing, or compliance purposes. Retained PHI remains subject to the Business Associate Agreement for as long as Growing Higher maintains it.

Backup deletion may occur on a delayed schedule according to backup retention cycles.

10. Security Information

Growing Higher may provide reasonable security information to Customers under appropriate confidentiality terms. Growing Higher is not required to disclose information that could compromise the security of the Services, other customers, vendors, or internal systems.

Growing Higher should not claim SOC 2, HITRUST, ISO 27001, HIPAA certification, penetration test completion, or similar certifications unless those reports or certifications are actually complete and approved for disclosure.

11. Customer Responsibilities

Customer is responsible for:

  • determining whether Customer is a covered entity, business associate, Part 2 program, or otherwise subject to special privacy rules;
  • maintaining Customer’s own Notice of Privacy Practices;
  • collecting and maintaining patient consents and authorizations;
  • configuring the Services consistent with Customer’s legal and clinical obligations;
  • ensuring Customer’s users have appropriate licenses, credentials, and authority;
  • limiting PHI entered into the Services to information Customer is permitted to process;
  • responding to patient rights requests unless otherwise agreed;
  • maintaining local device, network, and credential security; and
  • complying with state and federal laws applicable to Customer’s practice.

12. Part 2 and Specially Protected Information

Customer must notify Growing Higher before using the Services for substance use disorder records subject to 42 CFR Part 2 or other specially protected information that requires restrictions not already supported by the Services.

Growing Higher may require additional terms or configuration before supporting Part 2 or other specially protected records.