Infinitus information security and privacy management Updated: 03/31/2023 Infinitus Information Security and Privacy Statement Customer data protection We follow HIPAA Security and Privacy rules to protect our customers’ data, including PHI and PII data. For each customer, if PHI data is processed by Infinitus, we sign the Business Associate Agreement with the customer. Data collection Infinitus Platform collects customer data directly from customers via Infinitus Portal. Infinitus only collects necessary data to complete the services for customers. Data processing Infinitus processes customer PHI and PII in a way that is compatible with HIPAA regulation and only for the purpose specified in the contracts with our customers. We take all reasonable steps to protect customer data from loss, misuse or unauthorized access, disclosure, alteration and/or destruction. Customers could view and download their data via Infinitus Portal. At the end of contract term with our customers, Infinitus destroys securely or returns customer data as specified in our contracts. Data protection and data privacy Customer data is always protected by administrative, technical and physical security and privacy controls. PHI data is governed by HIPAA security and privacy rules. Infinitus personnels handling customer data must be trained on HIPAA, information security and privacy during onboarding and annually afterwards. Customer data is stored in secure on-cloud storage. Customer data is stored in the United States. Customer data is always encrypted in transit and at rest by industry accepted secure algorithms. Customers manage their own personnel’s authentication and authorization to access the data. Infinitus doesn’t manage customer passwords and always relies on customer’s SSO systems for login. Infinitus personnel’s permissions to access customer data are based only on need to know basis and should be approved by supervisors. Access to customer data and permission changes are logged and monitored. Customer data is backed up on a regular basis. Customer data disaster recovery is tested on a regular basis. Data retention Infinitus keeps customer data only when needed for the purpose of providing services or by regulatory requirements. At the termination of the services, Infinitus would return or securely destroy all copies of customer data within the data retention period, which is specified in the service agreement with the customer. Information security and privacy governance Compliance HIPAA Infinitus signs HIPAA Business Associate agreements where applicable, with customers and vendors. Infinitus abides by the HIPAA requirements for Business Associates. SOC 2 Type II To ensure that Infinitus provides customers with the highest level of security of the services and products, Infinitus performs SOC 2 Type II auditing and maintains SOC 2 Type II compliance. Infinitus customers may contact their Infinitus sales representative or email sales@infinitus.ai to get a copy of our SOC 2 Type II report. Information security and privacy policies Infinitus maintains a set of Information Security and Privacy policies covering all aspects of security and privacy. The policies are reviewed and updated on an annual basis. Information security roles and responsibilities are defined within the organization. Personnel and training We conduct background checks for all employees. All employees and contractors go through HIPAA, Information security and privacy training and need to accept all security and privacy policies before working in the production environment. In addition, all employees are required to go through HIPAA, security and privacy training annually. Infrastructure and network security Infinitus hosts all services and data storages on Google Cloud Platform in the United States. Google Cloud Platform has an extensive list of certifications, including ISO 27001, NIST 800-53, SOC2, PCI DSS, HIPAA, HITRUST CSF and others. See the complete list here: https://cloud.google.com/security/compliance/offerings Google Cloud Platform provides Infinitus with failover services to ensure the availability of Infinitus services. All connections from the public internet to Infinitus services are encrypted using TLS 1.2 or higher, and all data transmissions between the public internet and Infinitus services are encrypted. All customer and Infinitus data is encrypted at rest. System credentials are encrypted and managed by Google Secret Manager. Access to Google Cloud Infrastructure is restricted to authorized personnel based on the principles of need-to-know and least privilege. Infinitus infrastructure servers reside behind firewalls. By default all accesses to servers are denied and only approved ports and protocols are allowed based on the business needs. Infinitus has an Intrusion Detection System (IDS) in place to monitor and address potential intrusions. Service development security Secure Software Development Lifecycle (SSDLC) is governed by Infinitus’ Secure Development Policy. Infinitus maintains separate development and production environments, with different VPCs, hosts, data and access controls. The development environment is also hosted on the Google Cloud Platform in a secure manner similar to the production environment. We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our services. Quality Assurance is involved at each phase of the lifecycle and security best practices are mandated for all development activities. Automatic vulnerability scannings are performed regularly. Penetration tests by external teams are performed at minimum on an annual basis. Other security and privacy practices Asset protection Customer data is the most important asset for Infinitus. Other than customer data, Infinitus assets also include Infinitus intellectual property, Infinitus data, Infinitus development and production environments, and others. Infinitus maintains an asset inventory and all assets are assigned with a confidentiality category. Asset protection is based on the confidentiality categories as defined in the Data Management Policy. Identity and access management Infinitus Platform supports the authentication services by Google, Microsoft, and SAML. Customers are encouraged to integrate Infinitus Platform with their own authentication service as SSO. Infinitus Platform implements the Role based access controls for customer users. Customer admin manages the access for their users. Infinitus personnel’s access to assets is provisioned using role-based access controls. The permissions are based on the principles of need-to-know and least privilege. Requests to the change of access need to be approved by the supervisors and the security team. Access to the systems are monitored and logged. Cryptography Infinitus Platform supports the use of TLS 1.2 on all communications. AES-256 is used to protect data at rest. Data processing and storage Infinitus and Customer data is stored on the cloud. Customer data is always encrypted in transit and at rest. We give additional attention and care to customer PHI and PII data. Infinitus is a HIPAA Business Associate where applicable, and we have specific HIPAA Business Associate terms in contracts with our customers and our vendors. Infinitus has an internal data retention policy and has a data retention policy with each customer. Physical Security Infinitus enforces physical security controls in the offices. Google and other vendors enforce physical security for Infinitus services and data storage sites. Risk Assessment Infinitus has an established Risk Management Policy. Infinitus conducts risk assessment on the annual basis at the minimum, including the risks on the changes of security and privacy regulations. Service Availability To minimize service interruption due to hardware failure, natural disasters, or other catastrophes, we have implemented a business continuity and disaster recovery program along with Google Cloud. Google Cloud provides the failover service for Infinitus services and data storages. Infinitus services and data storage are backed up on a regular basis. Service and data restore are tested regularly. Security Incident Response Infinitus has a formal Incident Response Plan (“IRP”) to address any security incidents. The IRP defines the responsibilities of key personnel and specifies procedures to follow regarding any communication or notifications about the Incident. The IRP is tested annually at the minimum. Vendor Management Infinitus has an established Third-Party Management Policy. Infinitus closely manages vendors using risk management principles. Infinitus performs compliance, security, privacy and PHI data processing assessments on vendors to ensure the same or higher level of security and privacy standards to Infinitus customers. Report Security and Privacy Issues If you think you find a true or potential security or privacy issue, please email us at security@infinitus.ai. We have an incident and vulnerability response team to investigate and remediate the issues. We ask you to act ethically and contact us first before disclosing the issue to the public. FAQs Security is paramount to building trust in the healthcare ecosystem and Infinitus has always prioritized Security, Compliance, and Privacy. Infinitus is highly committed to securing our most important asset, customer data. Our SOC 2 Type II certification is just one important milestone on our security journey and implementing and maintaining SOC 2 requirements demonstrates Infinitus’ ongoing commitment to protecting healthcare data by meeting the most rigorous security standards in the industry. GENERAL What product/service does Infinitus offer? “Infinitus Systems, Inc.” is a health tech company that offers “Benefit Verification (“BV”)”, PA status checks, claim status checks, pharmacy to pharmacy transfers and other services to healthcare institutions using its SaaS platform. We automate routine phone calls for healthcare operations so our customers can spend less time on hold and more time serving patients. Where is the Infinitus platform hosted? Infinitus platform and services are hosted in Google Cloud Platform. ACCESS CONTROL How do customers access Infinitus Portal? Customers can authenticate to Infinitus Portal using Google Authentication, Microsoft Active Directory, Passwordless login, and SAML. How can customers share patient data with Infinitus? Infinitus provides a Rest API and a web application through which benefits verifications and other workflows can be conducted. What password complexity requirements (e.g. case, characters, length, reuse, expiration, etc.) are available? Infinitus uses Google authentication, or federated customer authentication service to authenticate customers. The customer user password complexity depends on the customer’s own policy. For Infinitus users, we enforce password length, strong password and no reuse of passwords. Is two-factor authentication (2FA) available? Customers can enforce 2FA via customer’s authentication service to access customer portal. Infinitus enforces 2FA for Infinitus users. How often must passwords be changed? Infinitus uses Google authentication, or federated customer authentication service to authenticate customers. The customer user password follows the customer’s own policy. For Infinitus users, we enforce password rotation every 180 days. How is separation of access controlled in the Infinitus environment? Infinitus’ customer data stored in Google cloud are separated and access controlled using unique customer ids. Does Infinitus support role-based access controls that may be applied to customer accounts? Yes – Predefined roles include: Organization Owner – super admin for the customer, managing accounts, roles and privileges. Organization Supervisor: supervisor for a group of members – managing members and privileges in the group. Organization member: perform tasks within the authorization scope. Customers can create/update/remove their own roles as well. Does Infinitus immediately remove all access when personnel are terminated? Infinitus removes all access to the Infinitus environment within 24 Hrs when personnel are terminated. AWARENESS AND TRAINING Does Infinitus have a formal awareness training program implemented for employees and contractor users? All employees and contractors undergo Information Security, HIPAA, Code of Conduct and Sexual Harassment Prevention trainings. How frequently do Infinitus employees and contractors undergo these training sessions? Annually BUSINESS CONTINUITY AND DISASTER RECOVERY Does Infinitus have a Business Continuity and Disaster Recovery plan? Infinitus maintains a Business Continuity and Disaster Recovery plan that is reviewed and tested annually. Does Infinitus backup customer data on a regular basis? Infinitus ensures that all data, including customer data, is backed up and retrieved within our recovery time objective if a failure does occur. CRYPTOGRAPHY & DATA MANAGEMENT What type of data does Infinitus collect and process? Infinitus collects and processes PHI (Protected Health Information), PII (Personally Identifiable Information) and other data necessary and as agreed in the service agreement to provide benefit verification (“BV”) and other services to customers. How can customers send/receive data to Infinitus? Customers will invoke Infinitus APIs and use Infinitus provided web applications to transmit records to Infinitus and receive processed records back. Infinitus can also provide EHR integrations for health system customers. Does Infinitus have a formally documented information classification policy implemented throughout the organization? Information classifications are defined in the Data Management policy and information are classified either as Confidential, Restricted or Public. Where does Infinitus Store customer data? Customer data is stored within Google Cloud Platform in the USA. All access to customer data is through Google Managed Datacenter in the USA and securely through the browser. How does Infinitus transmit and store customer data securely? All customer data is transmitted through secure channels with TLS 1.2 encryption enabled and stored encrypted using 256-bit Advanced Encryption Standard (AES-256). How does Infinitus monitor access to customer data? Infinitus logs and monitors all access attempts to our company resources, including customer data. When does Infinitus delete customer data / How long does Infinitus retain customer data? Infinitus will delete customer data within an agreed-upon time frame (as defined in agreement between both parties). Infinitus Systems shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. COMPLIANCE & PRIVACY What third-party security certification does Infinitus have? Infinitus is SOC2 Type II compliant which is considered the gold standard for security compliance of software-as-a-service (SaaS) companies. Is Infinitus a Business Associate (BA) as defined by the Health Insurance Portability and Accountability Act (HIPAA)? Being a health tech company, we are a Business Associate to a Covered Entity or a subcontractor to a Business Associate, and we comply with HIPAA and have BAA agreements with all downstream Business Associates. Does Infinitus need to be compliant with the EU General Data Protection Regulation (GDPR)? Infinitus currently does not process EU customers, hence does not need to be compliant with EU GDPR. Does Infinitus review and verify compliance with all applicable legal, regulatory and statutory requirements on at least an annual basis? Infinitus reviews compliance requirements with all applicable legal, regulatory, and statutory requirements on at least an annual basis. How does Infinitus collect and use Member data? When you interact with us through the Services, we may collect Personal Data and other information from you and are committed to the security of the data. Please refer to the Privacy Policy to understand the type of personal data we collect. INCIDENT RESPONSE If there is an incident, does Infinitus have a response plan? In the event of a security issue, Infinitus has an incident response plan to identify the root cause and address the issue. If an incident response is necessary, Infinitus will make efforts to promptly act to minimize the harm to the affected data and/or system, including implementing changes designed to address the security issue. How frequently is the Incident Response plan tested? The Incident response plan is tested every quarter to test the effectiveness of incident handling. The information security team will assess, investigate, mitigate, remediate and report any issues to customers. Does Infinitus have defined roles & responsibilities to handle incidents? Roles and responsibilities of Infinitus team members during incident management are defined in the Incident Response Policy. How to report a Security or Privacy incident? If you see a security or privacy issue, please send an email to security@infinitus.ai OPERATIONAL SECURITY Does Infinitus have a formal Change Management process? Changes to the organization, business processes, information processing facilities, and systems that affect information security in the production environment and financial systems shall be controlled. All significant changes to in-scope systems are documented. Does Infinitus have separate production and non-production environments? Infinitus strictly segregates production and non-production SaaS environments to reduce the risks of unauthorized access or changes to the operational environment. How does Infinitus log and monitor access to resources including customer data? Infinitus collects various logs to monitor access to various resources including data. Infinitus collects Application-level logs including customer user activities, Infinitus user activities, access control and System-level logs including firewall, other network appliances logs. The logs are reviewed weekly to monitor access. Are customers able to access and download application and system logs? The application and system logs are for internal purposes only. How does Infinitus monitor intrusion and changes to system integrity? Infinitus Systems production systems are configured to monitor, log, and alert on suspicious activity. Alerts are configured for suspicious conditions and security team review logs on a regular basis for unauthorized intrusions and access attempts or changes to Infinitus Systems. Does Infinitus have Vulnerability Management tools and processes in place? Infinitus employs a combination of SAST and DAST tools to identify and remediate vulnerabilities. PERSONNEL SECURITY Does Infinitus perform pre-employment screening, including background checks, for all personnel? Infinitus performs a complete background check for all personnel including permanent, contract and temporary personnel. What security terms and conditions (T&C’s) does Infinitus include as part of employment agreements for staff and contractors? All employees and contractors need to sign “Proprietary Information And Inventions Agreement – CA”. During onboarding, all employees and contractors are also required to review and sign the Information Security Policy. Does Infinitus have a process in place for staff and contractors that require access to customer information? Infinitus Systems shall determine the type and level of access granted to individual users based on the “principle of least privilege.” This principle states that users are only granted the level of access absolutely required to perform their job functions and is dictated by Infinitus Systems’ business and security requirements. Permissions and access rights not expressly granted shall be, by default, prohibited. PHYSICAL SECURITY How does Infinitus provide physical security? Google, our cloud hosting provider manages security for our data center resources. At the Infinitus office, physical access is restricted to employees and authorized visitors. No confidential information is stored in Infinitus physical locations. Are physical security measures in place at the sites which hold or process customer data? The Infinitus platform resides in Google Cloud Platform and all physical security measures are handled by Google. Refer to https://www.google.com/about/datacenters/data-security/ for more information. RISK ASSESSMENT Does Infinitus have formally documented policies and procedures for Risk Assessments? Yes Does Infinitus perform risk assessment on an organization-defined basis of the potential risks and vulnerabilities? Infinitus conducts Risk Assessment on an annual basis. The risk assessments are based on SOC2 standards covering data storage, code base, people, production services, physical security, and custom risks. Infinitus engages a third-party firm to conduct penetration testing to address vulnerabilities. How frequently does Infinitus conduct risk assessment? Annually. Infinitus conducts the risk assessment based on SOC2 standards covering data storage, code base, people, production services, physical security, and custom risks. SECURITY PROGRAM MANAGEMENT & PRACTICE Does Infinitus have a formal Information security program? Infinitus has a sound Information security program to address security, privacy and compliance needs of the organization and its customers. What are Infinitus’ Information security program and policy practices? The objective of Infinitus’ Information Security Program is to maintain the confidentiality, integrity and availability of all computer and data communication systems while meeting necessary legislative, industry, and contractual requirements. Infinitus policies, procedures and standards are SOC2 Type II certified. Does Infinitus have formal written Information Security Policies? Infinitus has the following list of policies defined – Access Control Policy Asset Management Policy Business Continuity and Disaster Recovery Plan Code of Conduct Cryptography Policy Data Management Policy HIPAA and Privacy Policy Human Resource Security Policy Incident Response Plan Information Security Policy (AUP) Information Security Roles and Responsibilities Operations Security Policy Physical Security Policy Risk Management Policy Secure Development Policy Third-Party Management Policy Can customers get a copy of the Information Security Policy? Infinitus can share the Information Security Policy packet upon execution of NDA. How frequently are the Information Security Policies reviewed? Annually Does Infinitus perform penetration testing? Annual pen testing is done on all critical systems as part of SOC2 compliance requirement. All findings are prioritized and remediated within 30 days. SECURE DEVELOPMENT POLICY Does Infinitus have a secure development policy? The secure development policy defines the overall secure development lifecycle including secure software development, secure testing and system acceptance testing. Infinitus platform does not handle authentication hence manages no credential data. Authentication is performed by Google Cloud or other authentication services. How does Infinitus promote application/code into the production environment and is it subject to formal change control, development, testing and release procedures? All Infinitus Systems software is version controlled and synced between contributors (developers). Access to the central repository is restricted based on an employee’s role. All code is written, tested, and saved in a local repository before being synced to the origin repository. Only members of the infrastructure team have access to conduct release management. THIRD-PARTY RISK MANAGEMENT Does Infinitus have a vendor risk management policy and how frequently is it monitored? Infinitus has a “Third party management” policy which is monitored and reviewed annually. Risk Assessment of third-party service providers are conducted according to the Infinitus’ risk management policy. How does Infinitus ensure its Third Parties implement effective security? All third parties are required to sign HIPAA Business Associate Agreement for safe handling of customer and PHI data. Besides, the third parties are required to have recognized industry specific certification like IS27K or SOC2 Type 2 etc. On an annual basis, we do risk assessment on third parties and re-exam all security and privacy requirements. The documents with third parties are not allowed to share without prior agreements. Does Infinitus have vendors accessing or processing customer data. Infinitus has sub-contractors who access and process data on behalf of Infinitus. Infinitus has signed Business Associate agreements with all vendors which process PHI and adheres to HIPAA regulations. How does Infinitus handle the process for termination of Third-Party contracts where they had access to customer Data? Third-party contracts include termination clauses that specifically address return and/or destruction of all customer data upon termination of such contracts. Does Infinitus conduct Third-party Risk Assessment on all its vendors? Infinitus has implemented the risk assessment process for all third parties, including vendors and subcontractors based on the “Third Party Management” Policy.