Ethical and technological data stewardship is a responsibility that we take incredibly seriously. Last year, we announced SOC 2 Type II certification, which is one of the most stringent enterprise security standards. Since then, we have continued our investment in data privacy and security, and today, we’re excited to announce that Civis achieved HIPAA compliance. This means we completed an assessment by an independent auditor to help us implement the physical, network, and process security safeguards in place to serve as a Business Associate for Covered Entities that trust us to access protected health information (PHI). We’re so proud to say that ours is one of the few cloud-based data science software platforms that is both SOC 2 Type II-certified and HIPAA-compliant.
While achieving HIPAA Compliance is an exciting milestone, the reality is that we’ve been obsessive about data privacy and security for a long time. Just a few examples of how we bring that to life:
- All of our staff undergo HIPAA training in addition to vulnerability detection, social engineering, incident response readiness, and other trainings.
- We use Single Sign On (SSO) for our Platform, which enables our software to work with a company’s existing identity service provider to allow users access to Platform. Not only does this simplify the user experience, it also allows a client’s own IT department to apply their company’s password requirements, even when using our software.
- We regularly review access to both internal and client data to ensure that we continue restricting data use only to those employees who need it. We’ve also embedded privacy and security review into our product development from conception through release.
- We collaborate with external privacy and security experts to audit, test, and constantly improve our data protection practices.
We will continue to invest in our never-ending effort to earn and maintain your trust, and that means investing heavily in all aspects of our privacy and security infrastructure (people, technology, training). If you have any questions about our data protection practices, please contact us at email@example.com.