Infrastructure Security
- Cerebrium frequently performs vulnerability scans, and these vulnerabilities are remediated based on the time frame set out in our incident response plan.
- Cerebrium conducts annual business continuity and security incident exercises. This is a requirement to remain SOC 2 compliant.
- Cerebrium has daily database backups enabled.
- Employee computers are frequently monitored via the Vanta agent.
- Multi-Factor Authentication (MFA) is enforced across all platforms relating to Cerebrium.
- Cerebrium uses logging and metrics observability providers, including Datadog and BugSnag.
Organizational Security
- Cerebrium employees are subject to a general security awareness training during their onboarding period.
- Cerebrium regularly audits employee access to internal systems.
- Employee computers are frequently monitored via the Vanta agent.
- Multi-Factor Authentication (MFA) is enforced across all platforms relating to Cerebrium.
Product Security
- Cerebrium enforces HTTPS for all services using TLS (SSL), including our Cerebrium Dashboard and our Cerebrium Python package.
- Cerebrium maintains access logs across all its infrastructure services.
- Software dependencies are audited by GitHub’s Dependabot.
- User data is encrypted at rest.
Internal Security Procedures
- Cerebrium performs regular vulnerability scans, with remediation following our incident response plan timelines.
- Cerebrium regularly audits employee access to internal systems.
- Cerebrium conducts annual business continuity and security incident exercises as part of our SOC 2 compliance requirements.
Data and Privacy
- Cerebrium does not use any customer data to train machine learning models or anything of a similar nature.
- For customers on our Hobby and Standard plan, we automatically delete request/log data after 7 and 30 days, respectively.
- Cerebrium deletes customer data upon request, and we have a purge request endpoint where you can request us to delete data sooner.
- All user data is encrypted at rest.
HIPAA Compliance
Cerebrium is committed to supporting our customers’ HIPAA compliance needs. As a business associate to covered entities in the healthcare sector, Cerebrium has implemented robust measures to support HIPAA compliance:Business Associate Agreements (BAA)
- Cerebrium offers a standardized BAA to all customers who require HIPAA compliance.
- Our BAA clearly outlines the responsibilities and obligations of both parties in protecting Protected Health Information (PHI).
- Customers can initiate the BAA process by contacting compliance@cerebrium.ai.
PHI Handling and Storage
- Cerebrium’s infrastructure is designed to handle PHI securely, with encryption at rest and in transit.
- We do not access, use, or disclose PHI unless explicitly required for providing our services.
- Customers are responsible for de-identifying PHI before transmission to Cerebrium’s systems, if de-identification is required for their use case.
Access Controls
- Strict access controls are in place to ensure that only authorized personnel can access systems that may contain PHI.
- Role-based access controls are used to limit access to PHI based on job responsibilities and the principle of least privilege.
Audit Logging
- Comprehensive audit logs are maintained for all activities that could potentially involve PHI.
- These logs are available to support customers’ accounting of disclosures requirements.
Breach Notification
- Cerebrium has a robust incident response plan that includes HIPAA-compliant breach notification procedures.
- Any potential breaches involving PHI are promptly investigated and reported to affected customers within required timeframes.
Employee Training
- All Cerebrium employees undergo HIPAA awareness training as part of their onboarding process.
- Regular refresher training is conducted to ensure ongoing HIPAA compliance.
Risk Assessments
- Cerebrium conducts regular risk assessments to identify and address potential vulnerabilities in our handling of PHI.
- These assessments are part of our ongoing commitment to maintaining a secure environment for our customers’ sensitive data.
Subcontractors
- Any subcontractors who may have access to PHI are required to sign a BAA and comply with the same HIPAA requirements as Cerebrium.
Data Retention and Destruction
- Cerebrium adheres to HIPAA-compliant data retention policies.
- Secure data destruction processes are in place for when PHI needs to be deleted or when a customer relationship ends.
Compliance Monitoring
- Our HIPAA compliance measures are continuously monitored and updated to align with any changes in regulations or best practices.