Infinitus Security Statement
Infinitus is deeply committed to the security and privacy of our customers. We strive to implement and maintain security policies, processes, standards, and take all reasonable care to protect our customers and their data. We apply appropriate administrative, operational and technical security controls to help ensure that our customers’ data is handled and processed in a secure manner. Infinitus’ products and services are SOC 2 Type II compliant.
Infinitus’ platform and all servers are hosted in a highly secured Google Cloud Platform VPC in the US. Security scans are performed regularly on the infrastructure to ensure that any vulnerabilities are quickly detected and remediated. Application penetration tests are performed annually by an independent third-party. All services and data storage have quick failover implemented by Google Cloud. Infinitus and our customer data is backed up daily and the data restore plan is tested regularly. Infinitus’ services backup and restore is performed regularly to ensure our SLA is met. Customer data is always encrypted at rest via Google’s most recent algorithm. The transmission of customer data between public internet and the Infinitus platform is always encrypted via TLS 1.2 or higher. Access to our systems is monitored and logged and is restricted to specific individuals based on the principles of need-to-know and least privileges.
Compliance
SOC 2 Type II
- To ensure that Infinitus provides customers with the highest level of security of the services and products, Infinitus performs SOC 2 Type II auditing and maintains SOC 2 Type II compliance.
- Infinitus customers may contact their Infinitus sales representative or email sales@infinitus.ai to get a copy of our SOC 2 Type II report.
HIPAA
- Infinitus signs HIPAA Business Associate agreements where applicable. Infinitus abides by the HIPAA requirements for Business Associates.
Security and Privacy Governance
Information Security and Privacy Policies
- Infinitus maintains a set of Information Security and Privacy policies covering all aspects of security and privacy. The policies are reviewed and updated on an annual basis.
- Information security roles and responsibilities are defined within the organization.
Onboarding and Training
- We conduct background checks for all employees. All employees and contractors go through the security and privacy training and accept all security and privacy policies before working in the production environment. In addition, all employees are required to go through the security and privacy training annually.
Infrastructure and Network Security
- Infinitus hosts all services and data storages on Google Cloud Platform in the United States. Google Cloud Platform has an extensive list of certifications, including ISO 27001, NIST 800-53, SOC2, PCI DSS, HIPAA, HITRUST CSF and others. See the complete list here: https://cloud.google.com/security/compliance/offerings
- Google Cloud Platform provides Infinitus failover services to ensure the availability of Infinitus services.
- All connections from the public internet to Infinitus services are encrypted using TLS 1.2 or higher, and all data transmissions between the public internet and Infinitus services are encrypted.
- All customer and Infinitus data is encrypted at rest.
- System credentials are encrypted and managed by Google Secret Manager.
- Access to Google Cloud Infrastructure is restricted to authorized personnel based on the principles of need-to-know and least privilege.
- Infinitus infrastructure servers reside behind firewalls. By default all accesses to servers are denied and only explicitly allowed ports and protocols are allowed based on the business needs.
- Security scans are performed regularly to detect vulnerabilities quickly and remediate them in a timely manner.
Development Security
- Development security is governed by Infinitus’ Secure Development Policy.
- Infinitus maintains separate development, staging, and production environments, with different VPCs, hosts, data and access controls. The development and staging environments are also hosted on the Google Cloud Platform in a secure manner similar to the production environment.
- We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our services. Quality Assurance is involved at each phase of the lifecycle and security best practices are mandated for all development activities.
Asset Protection
Customer data is the most important asset for Infinitus. Other than customer data, Infinitus assets also include Infinitus intellectual property, Infinitus data, Infinitus development and production environments, and others.
Access Control
- Access to the systems is provisioned using role-based access controls. The permissions are based on the principles of need-to-know and least privilege. Requests to the change of access need to be approved by the supervisors and the security team. Access to the systems are monitored and logged.
Data Processing and Storage
- Customer data is stored in the Google Cloud storage. Customer data is always encrypted at rest. Customer data is always encrypted when transmission between public internet and Infinitus services.
- We give additional attention and care to customer PHI data. Infinitus is a HIPAA Business Associate where applicable, and we have specific HIPAA Business Associate terms in contracts with our customers.
- Infinitus processes PHI in a way that is compatible with HIPAA regulation and only for the purpose specified in the contracts with our customers. We take all reasonable steps to protect customer data from loss, misuse or unauthorized access, disclosure, alteration and/or destruction.
- At the end of contract term with our customers, Infinitus disposes of or returns customer data as specified in our contracts.
Vendor Management
- Infinitus has an established Third-Party Management Policy.
- Infinitus closely manages vendors using risk management principles.
- Infinitus performs compliance, security, privacy and PHI data processing assessments on vendors to ensure the same or higher level of security and privacy standards to Infinitus customers.
Service Availability
- To minimize service interruption due to hardware failure, natural disasters, or other catastrophes, we have implemented a business continuity and disaster recovery program along with Google Cloud.
- Google Cloud provides the failover service for Infinitus services and data storages.
- Infinitus services and data storage are backed up on a daily basis.
- Service and data restore is tested quarterly.
Security Incident Response
- Infinitus has a formalized Incident Response Plan (“IRP”) and associated procedures in case an information security incident is declared. The IRP defines the responsibilities of key personnel and specifies procedures to follow regarding any communication or notifications about the Incident. The IRP is tested annually.
Report Security and Privacy Issues
If you think you find a true or potential security or privacy issue, please email us at security@infinitus.ai. We have an incident and vulnerability response team to investigate and remediate the issues. We ask you to act ethically and contact us first before disclosing the issue to the public.