Security

• Infinitus processes customer PHI and PII in a way that is compliant with HIPAA regulation and only for the purposes specified in the contracts with our customers. We take all reasonable steps to protect customer data from loss, misuse or unauthorized access, disclosure, alteration and/or destruction.
• Customers could view and download their data via Infinitus Portal or API endpoints.
• At the end of contract term with our customers, Infinitus destroys customer data securely or returns as per the terms of the contracts.

• PHI data is governed by HIPAA security and privacy rules.
• Infinitus personnel handling customer data must be trained on HIPAA, information security and privacy during onboarding and annually afterwards.
• Customer data is stored in secure on-cloud storage within the US boundaries.
• Customer data is always encrypted while in-transit and while at-rest by industry standard encryption algorithms.
• Customers manage their own personnel’s authentication and authorization to access the data. Infinitus doesn’t manage customer passwords and always relies on customer SSO (Single Sign-on) systems for login.
• Infinitus personnel’s permissions to access customer data are based only on a need-to-know basis and follow least-privilege principle and should be approved by supervisors.
• All access to customer data and permission changes are logged and monitored. All customer data accesses are reviewed periodically.
• Customer data is backed up on a regular basis within the cloud. All backups are encrypted with industry standard encryption algorithms while the data is at at-rest.
• Customer data disaster recovery is tested on a regular basis.

HIPAA

• Infinitus signs HIPAA Business Associate agreements where applicable, with customers and vendors. Infinitus abides by the HIPAA requirements for Business Associates.

SOC 2 Type II

• To ensure that Infinitus provides customers with the highest level of security of the services and products, Infinitus performs SOC 2 Type II auditing and maintains SOC 2 Type II compliance.
• Infinitus customers may contact their Infinitus sales representative or email sales@infinitus.ai to get a copy of our most recent SOC 2 Type II report.
• Infinitus performs annual penetration testing of its all critical systems as part of the SOC 2 compliance requirement.

CCPA

• Infinitus processes records of patients based out of the USA and is CCPA compliant. Infinitus currently does not process EU customers, hence does not need to be compliant with EU GDPR.

• Infinitus maintains a set of Information Security and Privacy policies covering all aspects of security and privacy. The policies are reviewed and updated on an annual basis.
• Information security roles and responsibilities are defined within the organization.

• Infinitus performs a complete background check for all personnel including employees and contractors.
• All employees and contractors are required to agree to Infinitus corporate policies.
• All employees and contractors go through HIPAA, Information security and privacy training and need to accept all security and privacy policies before working in the production environment. In addition, all employees are required to go through HIPAA, security and privacy training annually.

• Infinitus hosts all services and data storages on Google Cloud Platform in the United States. Google Cloud Platform has an extensive list of certifications, including ISO 27001, NIST 800-53, SOC2, PCI DSS, HIPAA, HITRUST CSF and others. See the complete list here.
• Google Cloud Platform provides Infinitus with failover services to ensure the availability of Infinitus services.
• All connections from the public internet to Infinitus services are encrypted using TLS 1.2 or higher algorithm, and all data transmissions between the public internet and Infinitus services are encrypted.
• All customer and Infinitus data is encrypted at-rest.
• System credentials are encrypted and managed by Google Secret Manager.
• Access to Google Cloud Infrastructure is restricted to authorized personnel based on the principles of need-to-know and least privilege.
• Infinitus infrastructure servers reside behind firewalls. By default all accesses to servers are denied and only approved ports and protocols are allowed based on the business needs.
• Infinitus has an Intrusion Detection System (IDS) in place to monitor and address potential intrusions.

• Secure Software Development Lifecycle (SSDLC) is governed by Infinitus’ Secure Development Policy.
• Infinitus maintains separate development and production environments, with different VPCs, hosts, data and access controls. The development environment is also hosted on the Google Cloud Platform in a secure manner similar to the production environment.
• We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our services. Quality Assurance is involved at each phase of the lifecycle and security best practices are mandated for all development activities.
• Automatic vulnerability scannings are performed regularly. Penetration tests by external teams are performed at-least once a year.

• Customer data is the most important asset for Infinitus. Other than customer data, Infinitus assets also include Infinitus intellectual property, Infinitus data, Infinitus development and production environments, and others.
• Infinitus maintains an asset inventory and all assets are assigned with a data classification.
• Asset protection is based on the data classification as defined in the Data Management Policy.

• Infinitus Platform supports the authentication services by Google, Microsoft, SAML and passwordless sign-in. Customers are encouraged to integrate Infinitus Platform with their own authentication service as SSO. Customers can enforce MFA via customer authentication service to access Infinitus customer portal.
• For internal users, Infinitus enforces strong password complexity requirements, no reuse of passwords and password rotation every 180 days. Infinitus enforces 2FA for all its internal users.
• Infinitus Platform implements the role based access controls (RBAC) for customer users. Customer admin manages the access for their users.
• Infinitus personnel’s (employees and contractors) access to assets is provisioned using role-based access controls (RBAC). The permissions are based on the principles of need-to-know and least privilege. Requests to the change of access need to be approved by the supervisors and the security team. Access to the systems are monitored and logged. Upon termination, Infinitus removes all access to the Infinitus environment within 24 Hrs when an employee leaves.

• All communication to the Infinitus platform is encrypted with the TLS 1.2+ encryption algorithm while data is in-transit.
• Customer data and other confidential data within the Infinitus platform are encrypted with AES-256 algorithm while the data is at-rest.
• The cryptographic keys and key life-cycle management is handled by Google Key Management Service (KMS).

• Infinitus and Customer data is stored on the cloud. Customer data is separated and access controlled using unique customer ids and is always encrypted in-transit and at-rest.
• We give additional attention and care to customer PHI and PII data. Infinitus is a HIPAA Business Associate where applicable, and we have specific HIPAA Business Associate terms in contracts with our customers and our vendors.
• Infinitus has an internal data retention policy and has a data retention policy with each customer.

• Infinitus enforces a formal Change management process to push all changes, including emergency changes, to production.
• Infinitus segregates production and non-production environments to reduce risk of unauthorized access or changes to customer data.
• Infinitus collects various logs in the Cloud to monitor user and systems activities. The logs are reviewed on a weekly basis.
• Infinitus required vulnerability scanning at key stages of Secure software development lifecycle. Infinitus conducts static analysis (SAST) testing of code, Dynamic analysis (DAST) of running applications and Software composition analysis (SCA) to identify known vulnerabilities in the software supply chain.

• Infinitus enforces physical security controls in it’s offices. Access to the office is restricted to employees and authorized visitors only. All visitors are escorted by an employee at all times.
• Google and other vendors enforce physical security for Infinitus services and data storage sites.

• Infinitus has an established Risk Management Policy governing the risk management program.
• Infinitus conducts Risk Assessment on an annual basis. The risk assessments are based on SOC2 standards covering data storage, code base, people, production services, physical security, and custom risks. Infinitus engages a third-party firm to conduct penetration testing to address vulnerabilities.
• Infinitus conducts risk assessment of its vendors at-least once a year, including the risks on the changes to the security and privacy regulations.

• To minimize service interruption due to hardware failure, natural disasters, or other catastrophes, we have implemented a business continuity and disaster recovery program along with Google Cloud. Infinitus maintains a Business Continuity and Disaster Recovery plan that is reviewed and tested annually.
• Google Cloud provides the failover service for Infinitus services and data storages.
• Infinitus ensures that all data, including customer data, is backed up regularly and retrieved within our recovery time objective (RTO), if a failure were to occur.
• The Business continuity and disaster recovery plan, service and data restores are tested on a regular basis.

• Infinitus has a formal Incident Response Plan (“IRP”) to address any security/privacy incidents. The IRP defines the responsibilities of key personnel and specifies procedures to follow regarding any communication or notifications about the Incident.
• The IRP is tested at-least once a year.

• Infinitus has a sound Information security program to address security, privacy and compliance needs of the organization and its customers.
• The objective is to maintain the confidentiality, integrity and availability of all computer and data communication systems while meeting necessary legislative, industry and contractual requirements.
• Infinitus has the following corporate policies defined which are reviewed and updated on an annual basis.
• Access Control Policy
• Asset Management Policy
• Business Continuity and Disaster Recovery Plan
• Code of Conduct
• Cryptography Policy
• Data Management Policy
• HIPAA and Privacy Policy
• Human Resource Security Policy
• Incident Response Plan
• Information Security Policy (AUP)
• Information Security Roles and Responsibilities
• Operations Security Policy
• Physical Security Policy
• Risk Management Policy
• Secure Development Policy
• Third-Party Management Policy

• Infinitus has an established Third-Party Management Policy which is reviewed annually.
• Infinitus closely manages vendors using risk management principles.
• Infinitus performs compliance, security, privacy and PHI data processing assessments on vendors to ensure the same or higher level of security and privacy standards to Infinitus customers.
• Infinitus has established Business Associate agreements (BAA) with all its downstream vendors for safe handling of customer PHI data. In addition, all vendors are required to have recognized industry certifications such as ISO27001, SOC 2 type II etc.