| title | Security & Data Privacy |
|---|---|
| description | Cerebrium follows security best practices |
Cerebrium is SOC 2 Type I, HIPAA-compliant, GDPR and ISO compliant, enforcing strict security standards and protocols. Compliance is continually monitored through Vanta and a dedicated team. Visit the trust center for compliance reports, or contact security@cerebrium.ai for additional information.
- Cerebrium frequently performs vulnerability scans, with remediation following the incident response plan timelines.
- Cerebrium conducts annual business continuity and security incident exercises as required for SOC 2 compliance.
- Cerebrium has daily database backups enabled.
- Employee computers are frequently monitored via the Vanta agent.
- Multi-Factor Authentication (MFA) is enforced across all platforms relating to Cerebrium.
- Cerebrium uses logging and metrics observability providers, including Datadog and BugSnag.
- Cerebrium employees are subject to a general security awareness training during their onboarding period.
- Cerebrium regularly audits employee access to internal systems.
- Employee computers are frequently monitored via the Vanta agent.
- Multi-Factor Authentication (MFA) is enforced across all platforms relating to Cerebrium.
- Cerebrium enforces HTTPS for all services using TLS (SSL), including the Cerebrium Dashboard and Python package.
- Cerebrium maintains access logs across all its infrastructure services.
- Software dependencies are audited by GitHub's Dependabot.
- User data is encrypted at rest.
- Cerebrium performs regular vulnerability scans, with remediation following incident response plan timelines.
- Cerebrium regularly audits employee access to internal systems.
- Cerebrium conducts annual business continuity and security incident exercises as part of SOC 2 compliance requirements.
- Cerebrium does not use customer data to train machine learning models.
- For customers on the Hobby and Standard plans, request/log data is automatically deleted after 7 and 30 days, respectively.
- Cerebrium deletes customer data upon request. A purge request endpoint is available for immediate deletion.
- All user data is encrypted at rest.
As a business associate to covered entities in the healthcare sector, Cerebrium implements the following measures to support HIPAA compliance:
- Cerebrium offers a standardized BAA to all customers who require HIPAA compliance.
- The BAA outlines the responsibilities and obligations of both parties in protecting Protected Health Information (PHI).
- Customers can initiate the BAA process by contacting compliance@cerebrium.ai.
- Cerebrium's infrastructure is designed to handle PHI securely, with encryption at rest and in transit.
- Cerebrium does not access, use, or disclose PHI unless explicitly required for service delivery.
- Customers are responsible for de-identifying PHI before transmission to Cerebrium's systems, if de-identification is required for their use case.
- Strict access controls are in place to ensure that only authorized personnel can access systems that may contain PHI.
- Role-based access controls are used to limit access to PHI based on job responsibilities and the principle of least privilege.
- Comprehensive audit logs are maintained for all activities that could potentially involve PHI.
- These logs are available to support customers' accounting of disclosures requirements.
- Cerebrium maintains an incident response plan that includes HIPAA-compliant breach notification procedures.
- Any potential breaches involving PHI are promptly investigated and reported to affected customers within required timeframes.
- All Cerebrium employees undergo HIPAA awareness training as part of their onboarding process.
- Regular refresher training is conducted to ensure ongoing HIPAA compliance.
- Cerebrium conducts regular risk assessments to identify and address potential vulnerabilities in PHI handling.
- These assessments help maintain a secure environment for customer data.
- Any subcontractors who may have access to PHI are required to sign a BAA and comply with the same HIPAA requirements as Cerebrium.
- Cerebrium adheres to HIPAA-compliant data retention policies.
- Secure data destruction processes are in place for when PHI needs to be deleted or when a customer relationship ends.
- HIPAA compliance measures are continuously monitored and updated to align with changes in regulations and best practices.
For more information on HIPAA compliance or specific compliance needs, contact the compliance team at compliance@cerebrium.ai.