background gradient of cool blue tones

Security

Infinitus information security and privacy management

Updated: 03/31/2023

Infinitus Information Security and Privacy Statement

Customer data protection

We follow HIPAA Security and Privacy rules to protect our customers’ data, including PHI and PII data. For each customer, if PHI data is processed by Infinitus, we sign the Business Associate Agreement with the customer. 

Data collection

Infinitus Platform collects customer data directly from customers via Infinitus Portal. Infinitus only collects necessary data to complete the services for customers. 

Data processing

Data protection and data privacy

Customer data is always protected by administrative, technical and physical security and privacy controls.

Data retention

Infinitus keeps customer data only when needed for the purpose of providing services or by regulatory requirements. At the termination of the services, Infinitus would return or securely destroy all copies of customer data within the data retention period, which is specified in the service agreement with the customer. 

Information security and privacy governance

Compliance

Information security and privacy policies

Personnel and training

Infrastructure and network security

Service development security

Other security and privacy practices

Asset protection

Identity and access management

Cryptography

Data processing and storage

Physical Security 

Risk Assessment 

Service Availability 

Security Incident Response 

Vendor Management 

Report Security and Privacy Issues 

If you think you find a true or potential security or privacy issue, please email us at security@infinitus.ai. We have an incident and vulnerability response team to investigate and remediate the issues. We ask you to act ethically and contact us first before disclosing the issue to the public.

FAQs

Security is paramount to building trust in the healthcare ecosystem and Infinitus has always prioritized Security, Compliance, and Privacy. Infinitus is highly committed to securing our most important asset, customer data. Our SOC 2 Type II certification is just one important milestone on our security journey and implementing and maintaining SOC 2 requirements demonstrates Infinitus’ ongoing commitment to protecting healthcare data by meeting the most rigorous security standards in the industry. 

GENERAL 

What product/service does Infinitus offer? 

“Infinitus Systems, Inc.” is a health tech company that offers “Benefit Verification (“BV”)”, PA status checks, claim status checks, pharmacy to pharmacy transfers and other services to healthcare institutions using its SaaS platform. We automate routine phone calls for healthcare operations so our customers can spend less time on hold and more time serving patients. 

Where is the Infinitus platform hosted? 

Infinitus platform and services are hosted in Google Cloud Platform.

ACCESS CONTROL 

How do customers access Infinitus Portal? 

Customers can authenticate to Infinitus Portal using Google Authentication, Microsoft Active Directory, Passwordless login, and SAML. 

How can customers share patient data with Infinitus? 

Infinitus provides a Rest API and a web application through which benefits verifications and other workflows can be conducted. 

What password complexity requirements (e.g. case, characters, length, reuse, expiration, etc.) are available? 

Infinitus uses Google authentication, or federated customer authentication service to authenticate customers. The customer user password complexity depends on the customer’s own policy. For Infinitus users, we enforce password length, strong password and no reuse of passwords. 

Is two-factor authentication (2FA) available? 

Customers can enforce 2FA via customer’s authentication service to access customer portal. Infinitus enforces 2FA for Infinitus users. 

How often must passwords be changed? 

Infinitus uses Google authentication, or federated customer authentication service to authenticate customers. The customer user password follows the customer’s own policy. For Infinitus users, we enforce password rotation every 180 days. 

How is separation of access controlled in the Infinitus environment?

Infinitus’ customer data stored in Google cloud are separated and access controlled using unique customer ids.

Does Infinitus support role-based access controls that may be applied to customer accounts? 

Yes – Predefined roles include: 

Customers can create/update/remove their own roles as well. 

Does Infinitus immediately remove all access when personnel are terminated? 

Infinitus removes all access to the Infinitus environment within 24 Hrs when personnel are terminated. 

AWARENESS AND TRAINING 

Does Infinitus have a formal awareness training program implemented for employees and contractor users? 

All employees and contractors undergo Information Security, HIPAA, Code of Conduct and Sexual Harassment Prevention trainings. 

How frequently do Infinitus employees and contractors undergo these training sessions? 

Annually

BUSINESS CONTINUITY AND DISASTER RECOVERY 

Does Infinitus have a Business Continuity and Disaster Recovery plan? 

Infinitus maintains a Business Continuity and Disaster Recovery plan that is reviewed and tested annually. 

Does Infinitus backup customer data on a regular basis?

Infinitus ensures that all data, including customer data, is backed up and retrieved within our recovery time objective if a failure does occur. 

CRYPTOGRAPHY & DATA MANAGEMENT 

What type of data does Infinitus collect and process? 

Infinitus collects and processes PHI (Protected Health Information), PII (Personally Identifiable Information) and other data necessary and as agreed in the service agreement to provide benefit verification (“BV”) and other services to customers. 

How can customers send/receive data to Infinitus? 

Customers will invoke Infinitus APIs and use Infinitus provided web applications to transmit records to Infinitus and receive processed records back. Infinitus can also provide EHR integrations for health system customers. 

Does Infinitus have a formally documented information classification policy implemented throughout the organization? 

Information classifications are defined in the Data Management policy and information are classified either as Confidential, Restricted or Public. 

Where does Infinitus Store customer data?

Customer data is stored within Google Cloud Platform in the USA. All access to customer data is through Google Managed Datacenter in the USA and securely through the browser. 

How does Infinitus transmit and store customer data securely?

All customer data is transmitted through secure channels with TLS 1.2 encryption enabled and stored encrypted using 256-bit Advanced Encryption Standard (AES-256). 

How does Infinitus monitor access to customer data? 

Infinitus logs and monitors all access attempts to our company resources, including customer data. 

When does Infinitus delete customer data / How long does Infinitus retain customer data? 

Infinitus will delete customer data within an agreed-upon time frame (as defined in agreement between both parties). Infinitus Systems shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. 

COMPLIANCE & PRIVACY 

What third-party security certification does Infinitus have?

Infinitus is SOC2 Type II compliant which is considered the gold standard for security compliance of software-as-a-service (SaaS) companies. 

Is Infinitus a Business Associate (BA) as defined by the Health Insurance Portability and Accountability Act (HIPAA)? 

Being a health tech company, we are a Business Associate to a Covered Entity or a subcontractor to a Business Associate, and we comply with HIPAA and have BAA agreements with all downstream Business Associates.

Does Infinitus need to be compliant with the EU General Data Protection Regulation (GDPR)? 

Infinitus currently does not process EU customers, hence does not need to be compliant with EU GDPR. 

Does Infinitus review and verify compliance with all applicable legal, regulatory and statutory requirements on at least an annual basis?

Infinitus reviews compliance requirements with all applicable legal, regulatory, and statutory requirements on at least an annual basis. 

How does Infinitus collect and use Member data? 

When you interact with us through the Services, we may collect Personal Data and other information from you and are committed to the security of the data. Please refer to the Privacy Policy to understand the type of personal data we collect. 

INCIDENT RESPONSE 

If there is an incident, does Infinitus have a response plan?

In the event of a security issue, Infinitus has an incident response plan to identify the root cause and address the issue. If an incident response is necessary, Infinitus will make efforts to promptly act to minimize the harm to the affected data and/or system, including implementing changes designed to address the security issue. 

How frequently is the Incident Response plan tested? 

The Incident response plan is tested every quarter to test the effectiveness of incident handling. The information security team will assess, investigate, mitigate, remediate and report any issues to customers. 

Does Infinitus have defined roles & responsibilities to handle incidents?

Roles and responsibilities of Infinitus team members during incident management are defined in the Incident Response Policy.

How to report a Security or Privacy incident? 

If you see a security or privacy issue, please send an email to security@infinitus.ai 

OPERATIONAL SECURITY 

Does Infinitus have a formal Change Management process?

Changes to the organization, business processes, information processing facilities, and systems that affect information security in the production environment and financial systems shall be controlled. All significant changes to in-scope systems are documented. 

Does Infinitus have separate production and non-production environments? 

Infinitus strictly segregates production and non-production SaaS environments to reduce the risks of unauthorized access or changes to the operational environment. 

How does Infinitus log and monitor access to resources including customer data? 

Infinitus collects various logs to monitor access to various resources including data. Infinitus collects Application-level logs including customer user activities, Infinitus user activities, access control and System-level logs including firewall, other network appliances logs. The logs are reviewed weekly to monitor access. 

Are customers able to access and download application and system logs?

The application and system logs are for internal purposes only. 

How does Infinitus monitor intrusion and changes to system integrity?

Infinitus Systems production systems are configured to monitor, log, and alert on suspicious activity. Alerts are configured for suspicious

conditions and security team review logs on a regular basis for unauthorized intrusions and access attempts or changes to Infinitus Systems. 

Does Infinitus have Vulnerability Management tools and processes in place? 

Infinitus employs a combination of SAST and DAST tools to identify and remediate vulnerabilities. 

PERSONNEL SECURITY 

Does Infinitus perform pre-employment screening, including background checks, for all personnel? 

Infinitus performs a complete background check for all personnel including permanent, contract and temporary personnel. 

What security terms and conditions (T&C’s) does Infinitus include as part of employment agreements for staff and contractors?

All employees and contractors need to sign “Proprietary Information And Inventions Agreement – CA”. During onboarding, all employees and contractors are also required to review and sign the Information Security Policy. 

Does Infinitus have a process in place for staff and contractors that require access to customer information? 

Infinitus Systems shall determine the type and level of access granted to individual users based on the “principle of least privilege.” This principle states that users are only granted the level of access absolutely required to perform their job functions and is dictated by Infinitus Systems’ business and security requirements. Permissions and access rights not expressly granted shall be, by default, prohibited.

PHYSICAL SECURITY 

How does Infinitus provide physical security? 

Google, our cloud hosting provider manages security for our data center resources. At the Infinitus office, physical access is restricted to employees and authorized visitors. No confidential information is stored in Infinitus physical locations. 

Are physical security measures in place at the sites which hold or process customer data? 

The Infinitus platform resides in Google Cloud Platform and all physical security measures are handled by Google. Refer to https://www.google.com/about/datacenters/data-security/ for more information. 

RISK ASSESSMENT 

Does Infinitus have formally documented policies and procedures for Risk Assessments? 

Yes 

Does Infinitus perform risk assessment on an organization-defined basis of the potential risks and vulnerabilities? 

Infinitus conducts Risk Assessment on an annual basis. The risk assessments are based on SOC2 standards covering data storage, code base, people, production services, physical security, and custom risks. Infinitus engages a third-party firm to conduct penetration testing to address vulnerabilities. 

How frequently does Infinitus conduct risk assessment?

Annually. Infinitus conducts the risk assessment based on SOC2 standards covering data storage, code base, people, production services, physical security, and custom risks.

SECURITY PROGRAM MANAGEMENT & PRACTICE 

Does Infinitus have a formal Information security program?

Infinitus has a sound Information security program to address security, privacy and compliance needs of the organization and its customers. 

What are Infinitus’ Information security program and policy practices?

The objective of Infinitus’ Information Security Program is to maintain the confidentiality, integrity and availability of all computer and data communication systems while meeting necessary legislative, industry, and contractual requirements. Infinitus policies, procedures and standards are SOC2 Type II certified. 

Does Infinitus have formal written Information Security Policies?

Infinitus has the following list of policies defined – 

Can customers get a copy of the Information Security Policy?

Infinitus can share the Information Security Policy packet upon execution of NDA. 

How frequently are the Information Security Policies reviewed?

Annually 

Does Infinitus perform penetration testing? 

Annual pen testing is done on all critical systems as part of SOC2 compliance requirement. All findings are prioritized and remediated within 30 days. 

SECURE DEVELOPMENT POLICY 

Does Infinitus have a secure development policy? 

The secure development policy defines the overall secure development lifecycle including secure software development, secure testing and system acceptance testing. Infinitus platform does not handle authentication hence manages no credential data. Authentication is performed by Google Cloud or other authentication services. 

How does Infinitus promote application/code into the production environment and is it subject to formal change control, development, testing and release procedures? 

All Infinitus Systems software is version controlled and synced between contributors (developers). Access to the central repository is restricted based on an employee’s role. All code is written, tested, and saved in a local repository before being synced to the origin repository. Only members of the infrastructure team have access to conduct release management.

THIRD-PARTY RISK MANAGEMENT

Does Infinitus have a vendor risk management policy and how frequently is it monitored? 

Infinitus has a “Third party management” policy which is monitored and reviewed annually. Risk Assessment of third-party service providers are conducted according to the Infinitus’ risk management policy. 

How does Infinitus ensure its Third Parties implement effective security?

All third parties are required to sign HIPAA Business Associate Agreement for safe handling of customer and PHI data. Besides, the third parties are required to have recognized industry specific certification like IS27K or SOC2 Type 2 etc. On an annual basis, we do risk assessment on third parties and re-exam all security and privacy requirements. The documents with third parties are not allowed to share without prior agreements. 

Does Infinitus have vendors accessing or processing customer data.

Infinitus has sub-contractors who access and process data on behalf of Infinitus. Infinitus has signed Business Associate agreements with all vendors which process PHI and adheres to HIPAA regulations. 

How does Infinitus handle the process for termination of Third-Party contracts where they had access to customer Data? 

Third-party contracts include termination clauses that specifically address return and/or destruction of all customer data upon termination of such contracts. 

Does Infinitus conduct Third-party Risk Assessment on all its vendors?

Infinitus has implemented the risk assessment process for all third parties, including vendors and subcontractors based on the “Third Party Management” Policy.