Strategy Collective Trust Center.

Strategy Collective executes a Business Associate Agreement (BAA) with every healthcare client before any data access is provisioned. We do not begin campaign deployment, analytics configuration, or CRM integration until the BAA is countersigned and on file.

• Standard BAA template available for legal review within 24 hours of engagement kickoff
• Accommodates client-preferred BAA language and addenda
• Covers all subprocessors (ad platforms, analytics vendors, CRM systems) under our umbrella
• Annual BAA review cycle aligned with your compliance calendar

Every Strategy Collective team member with client system access completes annual HIPAA training and signs individual confidentiality agreements. Access is provisioned on a minimum-necessary basis and revoked within 24 hours of role change or offboarding.

• Role-based access control (RBAC) across all client environments
• Multi-factor authentication (MFA) required for all client-facing tools
• Quarterly access audits with client visibility

We deploy HIPAA-compliant data routing layers (Freshpaint, OursPrivacy, or Curve) that intercept all patient-side tracking events before they reach Google, Meta, or any third-party pixel. PHI is stripped at the proxy layer—not after the fact.

• Client-side JavaScript never transmits raw form data to ad platforms
• IP addresses, URL parameters containing PHI, and form field values are sanitized in real-time
• Conversion events are hashed and matched server-side, never via browser cookies
• Full audit log of all data routing decisions retained for compliance review

Before any campaign goes live, we perform a full tag audit of your web properties to identify and remediate unauthorized data collection points. Inherited tracking tags, orphaned pixels, and misconfigured GTM containers are the #1 source of accidental PHI exposure.

• Automated scanning for unauthorized third-party scripts
• GTM container lockdown with approval-based change management
• Ongoing monitoring for new script injections post-launch

Strategy Collective deploys server-side Google Tag Manager (sGTM) and server-side Conversions API (CAPI) for Meta, eliminating the need for client-side pixels that collect browser-level PHI.

• First-party data collection via your own subdomain (no third-party cookie dependency)
• Google Enhanced Conversions and Meta CAPI configured server-side
• Conversion data hashed (SHA-256) before transmission to ad platforms
• Full funnel attribution from impression to scheduled appointment—without exposing patient data

Marketing performance data is aggregated in a HIPAA-compliant data warehouse (BigQuery or Snowflake) with strict access controls. We never co-mingle marketing analytics with EHR/EMR data.

• De-identified, aggregated reporting only—no individual patient records in dashboards
• Separate environments for PHI-adjacent and non-PHI analytics
• Data retention policies aligned with your compliance requirements
• Export-ready for data room packaging during diligence

We maintain an approved vendor list with documented BAA status, SOC 2 compliance, and data handling policies for every tool in the marketing stack.

• CMS: HubSpot Enterprise (BAA available), Webflow (BAA available)
• Analytics: Google Analytics 4 (server-side only), Looker Studio
• Advertising: Google Ads, Meta (via CAPI), LinkedIn
• PHI Proxy: Freshpaint, OursPrivacy, Curve
• CRM: HubSpot, Salesforce Health Cloud
• Call Tracking: CallRail (BAA on file), Liine

In the event of a suspected data incident, Strategy Collective follows a documented incident response protocol with defined escalation timelines.

• Immediate containment within 1 hour of detection
• Client notification within 24 hours per BAA obligations
• Root cause analysis and remediation plan within 72 hours
• Post-incident review and control updates within 14 days