Security & Compliance
14 min
security practises at founda health, security isn't just a requirement; it's a cornerstone of our organization we integrate comprehensive security measures into every facet of our operations to ensure the highest protection for user data and system integrity data security access monitoring founda has enabled logging on all critical systems logs include failed/successful logs, application access, administrator changes, and system changes a managed service solution is used to provide audit log storage and monitoring of threats and anomalies backups enabled founda is hosted by major hosting providers and the platform is designed for high availability and redundancy founda health configures redundant systems and performs daily backups containing customer and end user data to resume system operation in the event of a system failure by default, the hosting provider provides durable infrastructure to store important data and is designed for durability of 99 9% of objects data erasure founda customers are controllers of their data each customer is responsible for the information they create, use, store, process and destroy founda customers have the ability to request data deletion or self serve their own deletion, when data is not subject to regulatory or legal retention periodicity requirements please refer to our privacy policy and data processing agreement for more information encryption at rest and in transit founda implements strong cryptographic controls to protect sensitive information, including personally identifiable information (pii) we use industry standard encryption methods such as aes 256 for encryption at rest and enforce tls 1 2+ or mtls for data in transit to ensure end to end protection while customers cannot choose their own encryption methods, all communication between systems is encrypted by default additionally, where applicable, we apply further security measures such as hashing or tokenization to enhance data protection physical security founda health leverages major hosting providers to host our application, and defers all data center physical security controls to them application security responsible disclosure as security is crucial to us at founda, we find it of the utmost importance to keep an eye out for any security issues that might arise to this end we have set up a responsible disclosure process if you have noticed any security issues, please report them now through the contact form on our website code analysis founda health’s engineering teams conduct secure design reviews for new releases and updates infrastructure and network modifications are executed through infrastructure as code (iac), ensuring consistency and repeatability codes are reviewed and approved by adhering to the four eyes principle, preventing unauthorised or unverified changes software development lifecycle (sdlc) founda health uses a defined sdlc process to ensure that code is written securely secure design reviews are performed for new releases and updates as part of the secure development, founda performs code audits, work with independent vendor companies to drive an annual external penetration test, and conduct continual security scans for our codebase credential management founda uses a managed cloud service that simplifies the creation and control of encryption keys used to protect your data it provides a secure, centralized platform for managing cryptographic keys throughout their lifecycle, storing them within hardware security modules (hsms) vulnerability & patch management founda performs vulnerability scanning to provide a comprehensive view of vulnerabilities across our code, dependencies and deployed systems externally and internally facing services are patched on a regular schedule any issues that are discovered are triaged and resolved according to the severity within founda’s environment security profile third party dependence in order to provide our solutions, founda health and its applicable affiliates engages third party sub processors to process customer’s personal data on our behalf infrastructure subprocessor purpose of processing location aws hosting provider eu, usa intermax hosting provider netherlands customer and support services subprocessor purpose of processing zendesk support services to the customer corporate security employee training security training is required during the employee onboarding process, and annually thereafter employees also must read and acknowledge founda health’s code of conduct and information security policies hr security founda health performs background checks on employees when they are hired in accordance with local laws and regulations incident response founda health has an incident response which is designed to educate all employees on the proper reaction to security incidents, the required procedural steps, and their role in maintaining compliance with data regulations like gdpr and hipaa assessments internal and external security audits are performed annually internal sso multi factor authentication (mfa) is required for all employees to log into founda health’s identity provider access control data access founda health internally leverages the principle of least privilege for access access is granted based on job function, business requirements, and a need to know basis access reviews are conducted on a set frequency to ensure continued access to critical systems and tools are still required password security founda health requires mfa to be enabled for any and all systems that provide the option for mfa infrastructure data center founda is hosted on major hosting providers, who handles physical security to data centers infrastructure security founda’s infrastructure is hosted in a fully redundant, secured environment the customer data is hosted by the hosting providers (depending on the geographic location of the customer) the hosting providers maintain a list of reports, certifications, and third party assessments to ensure best security practices endpoint security disk encryption employee laptops have disk encryption enabled for protection endpoint detection & response all endpoints have detection software installed mobile device management founda owned devices and their software configuration are managed remotely via mdm software threat detection founda utilizes a third party endpoint protection software for advanced threat protection, detection and response, all managed through a unified platform network security firewall to protect and monitor our network security, we utilize pre configured, actively updated security rules at our network's edge, combined with automated analysis of our network data to identify unusual patterns and potential threats platform security features saml single sign on (sso) founda provides sso functionality as part of the xds stack 2fa (mfa) with keycloak integration, the founda console provides multi factor authentication manage permissions founda’s professional services team will support you and your teams with managing user permission levels compliance founda health employs a robust security and privacy program with advanced features designed to safeguard your data, meeting various regulatory and industry standards compliance reports are available upon request via our trust portal; please contact security\@founda com soc 2 type 2 a soc 2 type 2 report is an independent audit by an aicpa certified firm, assessing the effectiveness of a service organization's data protection controls over time, providing assurance to customers and stakeholders this assessment confirmed the founda’s controls meet the trust services criteria for confidentiality, availability, and security cloud computing compliance controls catalogue (c5) bsi c5 is a security standard developed by the german federal office for information security founda health has passed the bsi c5 assessment which, beyond baseline controls, includes specific requirements for data location, service provisioning, legal jurisdiction, and comprehensive service descriptions iso 27001 founda health's iso 27001, 27017, and 27018 certifications from the international standards organization (iso) confirm its framework for establishing, implementing, and continuously improving its information security management system (isms) nen 7510 nen 7510 is the dutch healthcare standard for information security management, building upon iso 27001 with specific requirements for protecting sensitive patient data for more information on our compliance posture visit our trust center