Security & Compliance
We’re serious about safeguarding data.
Protecting personal information is our top priority. For the sake of our users and customers, we don’t compromise or cut corners when it comes to data security. As part of that commitment, we operate with the utmost transparency. The following overview provides a high-level look at the ever-evolving security practices we have in place.
We’re compliant with the highest security and privacy standards
SOC 2 Type II – Kaia Health has completed a SOC 2 Type II examination for security, availability, and confidentiality and is audited annually. SOC 2 Type II has the most comprehensive set of controls within the Systems and Organization Controls (SOC) protocol. Our successful SOC 2 Type II examination attests to our stringent compliance with these standards over a six-month look-back period. The report is available, upon request, for review by existing customers and prospects. As the information is confidential, we require a signed NDA to review the report.
ISO 27001 – Kaia Health has achieved the ISO 27001 certificate and it can be available, upon request, for review by existing customers and new prospects without a signed NDA. By being audited and certified against the ISO 27001 standard, we demonstrate our commitment to identifying risks and putting in place robust, repeatable controls, ensuring that our organization maintains a strong secure posture.
HITRUST – Kaia Healths biggest achievement in security compliance to date, tackling a year long and intensive implementation and certification project, ensuring the most comprehensive and strict security requirements in the industry are met without compromise. Kaia Health is proudly HITRUST certified and stands behind the increasing security demand for protection of health data.
GDPR & CCPA – Kaia Health is audited annually by external independent auditors against GDPR and CCPA privacy regulations. By complying with GDPR and CCPA we prove our commitment to protecting personal information and enforcing a consent based model to personal data processing.
HIPAA – Kaia Health is audited annually by external independent auditors against HIPAA Privacy and Security Rules. By complying with HIPAA we show our determination towards maintaining high healthcare security and privacy standards and make no compromises with patients data.
Our encryption protocols are national-security worthy
Powered by AWS (US) and Open Telekom Cloud (DE), we keep all data encrypted both in rest and in motion using best-in-breed security algorithms such as RSA4096, SHA256 and AES256. Data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). At rest, all data is subject to battle-proof encryption algorithms and stored using secret management services. You can view our SSLLabs report here.
With end-to-end encryption at every stage – at rest, in transit, or in cloud storage – Kaia Health products ensure your data is always safe, secure, and private. Even the metadata communications between your system and the Kaia Health are encrypted for total security.
Our consent-based model gives people control over their personal and protected health information
According to Europe’s General Data Protection Regulation of 2018, personal data, including protected health data, is owned by the individual it represents, and consent to process and share that data must be “freely given, specific, and informed.” We couldn’t agree more.
When a user uses Kaia Health, they are sending a request to an individual for permission to access their health data, empowering the average person to exercise consent and data ownership.
Our security measures are ever evolving to keep pace with the changing threat landscape
Our work on security and privacy efforts does not have an end; it’s a continuous cycle of researching, revising, implementing, testing, fixing, scaling, blocking, and permissioning. We are constantly working to meet and exceed what is asked of us from regulators, investors, partners, and users, and we collectively live the security processes on a daily basis. Security and privacy are integral to our culture.
Data retention and removal is standardized and at the discretion of our users
All permissioned user data held by Kaia Health is available to our customers for electronic retrieval for a period of 30 days after the expiration or termination of the Master Service Agreement. All data is then completely removed from Kaia Health’s servers. Every user can request the removal of their personal data by contacting Kaia Health support. Read more about our privacy settings.
We establish strong defenses at points of entry
Kaia Health’s apps and backend infrastructure, the main entry points of user data, only allows client requests using strong TLS protocols. All communication between Kaia Health infrastructure and data platforms is transmitted over encrypted tunnels.
We take all necessary infrastructure precautions
All of our services run in Amazon Web Services (AWS) US regions for US customers and Open Telekom Cloud (OTC) in Germany for EU customers. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. AWS and OTC regularly undergo independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP, and many others. You can read more about their practices: AWS and OTC.
Secure code: transparent development with security in mind
Protecting customer data from modern threats means our products must be developed with security in mind. The following practices ensure the highest level of security in our software:
- Applying Secure Software Development Life Cycle (S-SDLC) which focuses on incorporating security into the development cycle
- Developing and continuously maintaining a corporate culture dedicated to security
- We assess the security of our code using industry well-known security frameworks such as ATT&CK, OWASP Top 10, and SANS Top 25
- Developers participate in regular security training to learn about common vulnerabilities, threats and secure coding best practices
- We review our code for security vulnerabilities
- We regularly update our backend infrastructure and software and make sure none of them have known vulnerabilities
- We use static application security testing (SAST) and dynamic application security testing (DAST) to detect basic security vulnerabilities in our codebase
- We conduct regular external penetration tests on our production environments
Our application security monitoring and protections solutions allow us the visibility to:
- Identify attacks and respond quickly to a data breach
- Monitor exceptions and logs and detect anomalies in our applications
- Collect and store logs to provide an audit trail of our applications activity
We also deploy a runtime protection system that identifies and blocks web attacks and business logic attacks in real time, as well as security headers to protect our users from attacks.
We practice stringent network-level security monitoring and protection
Our network consists of multiple security zones, which we monitor and protect with trusted and next-generation firewalls, including IP address filtering, to insure against unauthorized access. We deploy an intrusion detection and/or prevention solution (IDS/IPS) that monitors and blocks potential malicious packets as well as distributed denial of service (DDoS) mitigation services powered by an industry-leading solution.
We boast an industry-leading security team
Our security team comprises security experts dedicated to constantly improving the security of our organization. Our team is trained and certified in security threat detection and incident response, application security, security management&compliance and latest security best practices.
We encourage responsible disclosure
If you discover vulnerabilities in our application or infrastructure, we ask that you alert our team by contacting [email protected] . Please include a proof of concept in your email. We will respond as quickly as possible to your submission and won’t take legal action if you follow the responsible disclosure process:
- Please avoid automated testing and only perform security tests with your own data
- Please include a proof of concept in your email
- Do not disclose any information regarding the vulnerabilities until clear approval is given
Note that our bug bounty program is currently closed and we are not looking for new security researchers.
Secure data centers
Kaia Health leverages a global network of cloud data centers that are built to provide the highest levels of safety, security, and accessibility. Specifically Kaia Health utilises Open Telekom Cloud infrastructure for serving the EU market and Amazon Web Services for its global operations.
- High data availability
Ensuring that your organization’s mission-critical data has one of the highest levels of availability, leveraging data centers that provide redundant HVAC, network and UPS systems.
- Guarded physical locations
Data centers are physically defended 24/7 by security personnel, high fences, and video surveillance, while on-site entry requires biometric and key card access. Strict access control measures ensure that only authorized personnel have access to the data center.
- Reliable facility management
Equipped with UPS and backup diesel-generators, data centers can provide a continuous supply of electricity through undefined power outages of up to 48 hours. HVAC, fire detection and suppression systems, alarms, and monitoring by surveillance cameras (CCTV).
- Location choice for your data
The global nature of our data center network means your data will be stored in most appropriate location, ensuring regulatory compliance and connectivity requirements are met.
- AWS and OTC regularly undergo independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP, and many others. You can read more about their practices: AWS and OTC.