We take security very seriously across all our cloud services, and aim to lead the market in certifications, policies, architecture and response.
dataloader.io is a 100% web-based application and it is not available on-premises. It uses oAuth 2.0 so users can log into dataloader.io with existing Salesforce credentials without compromising security.
The CSV file used to import, export or delete data in Salesforce is stored within our data centers, so users can re-run the same task without having to upload/download the file again. CSV data can be completely removed from our servers by deleting a task from dataloader.io UI. Also, since July ‘16 release we allow users to save result files externally to cloud services like (S)FTP, Box, Dropbox and avoid information to be stored in our data centers (more information here).
In regards to HIPAA, MuleSoft is not subject to HIPAA regulations, as we do not directly handle personal health information. HIPAA is only applicable to covered entities.
We are also a level 1 PCI service provider and are SSAE16 certified. You can see more about our approach to security at our Trust Center.