Trust & Safety

Security at Cardiomics

Your research data deserves enterprise-grade protection. We take security seriously at every level of our platform.

SOC 2 Type II 256-bit AES 99.9% Uptime HIPAA Ready

End-to-End Encryption

Your data is encrypted with AES-256 at rest and TLS 1.3 in transit. Even we can't read your raw data without your authorization.

Data Sovereignty

You own your data. We never sell it, share it with third parties, or use it to train AI models without explicit consent.

24/7 Monitoring

Our security team monitors for threats around the clock. Automated systems detect and respond to anomalies in real-time.

Compliance & Certifications

We meet the highest standards for data protection and security

SOC 2 Type II

Independently audited for security, availability, and confidentiality controls

HIPAA

Enterprise plans include HIPAA-compliant infrastructure and BAA agreements

GDPR

Full compliance with EU data protection regulations and user rights

ISO 27001

Infrastructure hosted on ISO 27001 certified cloud platforms

Infrastructure Security

Our infrastructure is designed with security-first principles:

  • Cloud Infrastructure: Hosted on enterprise-grade cloud providers (AWS/GCP) with SOC 2 and ISO 27001 certifications
  • Network Isolation: VPC isolation, private subnets, and strict firewall rules limit network exposure
  • Geographic Redundancy: Multi-region deployment with automatic failover ensures high availability
  • DDoS Protection: Enterprise-grade DDoS mitigation and rate limiting protect against attacks
  • Vulnerability Management: Continuous vulnerability scanning with rapid patching cycles

Application Security

Security is built into every stage of our development process:

  • Secure Development: OWASP-aligned secure coding practices with mandatory code review
  • Dependency Scanning: Automated scanning for vulnerable dependencies with alerts and updates
  • Penetration Testing: Regular third-party penetration tests by certified security firms
  • Input Validation: Comprehensive input validation and output encoding prevent injection attacks
  • Session Security: Secure session management, CSRF protection, and secure cookie handling

Bug Bounty Program

We work with the security research community to identify vulnerabilities. Responsible disclosure is rewarded. Contact security@cardiomics.ai to participate.

Access Control

We implement strict access controls at every level:

  • Role-Based Access: Granular permissions ensure users only access what they need
  • Multi-Factor Authentication: MFA available for all accounts, required for administrative access
  • Single Sign-On: SAML 2.0 and OAuth integration for enterprise identity providers
  • Session Management: Automatic session timeout, device management, and suspicious activity alerts
  • Audit Logging: Comprehensive logs of all access and changes, retained for compliance

Data Protection

Your research data is protected at every stage:

  • Encryption at Rest: AES-256 encryption for all stored data, including backups
  • Encryption in Transit: TLS 1.3 for all data transfers, with certificate pinning
  • Data Isolation: Logical isolation ensures your data is never accessible to other users
  • Secure Backups: Encrypted backups in geographically separate locations
  • Secure Deletion: Cryptographic erasure ensures deleted data is unrecoverable
  • No Training Use: Your data is never used to train AI models without explicit opt-in consent

Incident Response

We maintain comprehensive incident response procedures:

  • 24/7 Monitoring: Security operations center monitors for threats continuously
  • Automated Detection: Machine learning-based anomaly detection identifies suspicious activity
  • Response Team: Dedicated incident response team with defined escalation procedures
  • Customer Notification: Affected customers notified within 72 hours of confirmed breach
  • Post-Incident Review: Thorough analysis and remediation following any incident

Employee Security

Our team follows strict security protocols:

  • Background Checks: Comprehensive background screening for all employees
  • Security Training: Mandatory security awareness training and phishing simulations
  • Least Privilege: Employee access limited to what's necessary for their role
  • Secure Devices: Managed devices with encryption, MDM, and endpoint protection

Security Questions?

Our security team is happy to answer questions, provide additional documentation, or discuss enterprise security requirements.

Contact Security Team Request Security Docs