Cerebrium is SOC 2 Type I and HIPAA-compliant. That means we enforce certain security standards and protocols. Our compliance is continually monitored through Vanta and a dedicated team. Please reach out to security@cerebrium.ai if you would like more information regarding our security compliance and implementations.

Infrastructure Security

  • Cerebrium frequently performs vulnerability scans, and these vulnerabilities are remediated based on the time frame set out in our incident response plan.
  • Cerebrium conducts annual business continuity and security incident exercises. This is a requirement to remain SOC 2 compliant.
  • Cerebrium has daily database backups enabled.
  • Employee computers are frequently monitored via the Vanta agent.
  • Multi-Factor Authentication (MFA) is enforced across all platforms relating to Cerebrium.
  • Cerebrium uses logging and metrics observability providers, including Datadog and BugSnag.

Organizational Security

  • Cerebrium employees are subject to a general security awareness training during their onboarding period.
  • Cerebrium regularly audits employee access to internal systems.
  • Employee computers are frequently monitored via the Vanta agent.
  • Multi-Factor Authentication (MFA) is enforced across all platforms relating to Cerebrium.

Product Security

  • Cerebrium enforces HTTPS for all services using TLS (SSL), including our Cerebrium Dashboard and our Cerebrium Python package.
  • Cerebrium maintains access logs across all its infrastructure services.
  • Software dependencies are audited by GitHub’s Dependabot.
  • User data is encrypted at rest.

Internal Security Procedures

  • Cerebrium performs regular vulnerability scans, with remediation following our incident response plan timelines.
  • Cerebrium regularly audits employee access to internal systems.
  • Cerebrium conducts annual business continuity and security incident exercises as part of our SOC 2 compliance requirements.

Data and Privacy

  • Cerebrium does not use any customer data to train machine learning models or anything of a similar nature.
  • For customers on our Hobby and Standard plan, we automatically delete request/log data after 7 and 30 days, respectively.
  • Cerebrium deletes customer data upon request, and we have a purge request endpoint where you can request us to delete data sooner.
  • All user data is encrypted at rest.

HIPAA Compliance

Cerebrium is committed to supporting our customers’ HIPAA compliance needs.

As a business associate to covered entities in the healthcare sector, Cerebrium has implemented robust measures to support HIPAA compliance:

Business Associate Agreements (BAA)

  • Cerebrium offers a standardized BAA to all customers who require HIPAA compliance.
  • Our BAA clearly outlines the responsibilities and obligations of both parties in protecting Protected Health Information (PHI).
  • Customers can initiate the BAA process by contacting compliance@cerebrium.ai.

PHI Handling and Storage

  • Cerebrium’s infrastructure is designed to handle PHI securely, with encryption at rest and in transit.
  • We do not access, use, or disclose PHI unless explicitly required for providing our services.
  • Customers are responsible for de-identifying PHI before transmission to Cerebrium’s systems, if de-identification is required for their use case.

Access Controls

  • Strict access controls are in place to ensure that only authorized personnel can access systems that may contain PHI.
  • Role-based access controls are used to limit access to PHI based on job responsibilities and the principle of least privilege.

Audit Logging

  • Comprehensive audit logs are maintained for all activities that could potentially involve PHI.
  • These logs are available to support customers’ accounting of disclosures requirements.

Breach Notification

  • Cerebrium has a robust incident response plan that includes HIPAA-compliant breach notification procedures.
  • Any potential breaches involving PHI are promptly investigated and reported to affected customers within required timeframes.

Employee Training

  • All Cerebrium employees undergo HIPAA awareness training as part of their onboarding process.
  • Regular refresher training is conducted to ensure ongoing HIPAA compliance.

Risk Assessments

  • Cerebrium conducts regular risk assessments to identify and address potential vulnerabilities in our handling of PHI.
  • These assessments are part of our ongoing commitment to maintaining a secure environment for our customers’ sensitive data.

Subcontractors

  • Any subcontractors who may have access to PHI are required to sign a BAA and comply with the same HIPAA requirements as Cerebrium.

Data Retention and Destruction

  • Cerebrium adheres to HIPAA-compliant data retention policies.
  • Secure data destruction processes are in place for when PHI needs to be deleted or when a customer relationship ends.

Compliance Monitoring

  • Our HIPAA compliance measures are continuously monitored and updated to align with any changes in regulations or best practices.

For more detailed information about our HIPAA compliance measures or to discuss specific compliance needs, please contact our compliance team at compliance@cerebrium.ai.