Security statement
Our Security program is focused on providing a high level of care in to protect the privacy of our users. We treat the privacy of health data with the utmost importance and respect. While there’s no way to completely prevent data exposure, we believe it’s our job to provide a high level of care to protect the privacy of data on our platform. As such, we take extensive precautions to secure and protect information from unauthorized access, disclosure, or use.
We take job of securing your privacy seriously. We designed the Hugo platform to enable you to maintain the privacy of your health data by establishing security measures to protect data. Our security practices are aligned with best practices and recommendations from the National Institute of Standards and Technology (NIST), our Terms of Service, and our Privacy policy. We implement and continuously improve the following security measures to provide a secure and privacy-focused environment for storing and sharing your health data.
Architecture and design
The Hugo platform is designed for and hosted on Amazon Web Services (AWS), which is SOC 2 Type II certified. In addition to designing our privacy and security tools following industry best practices, we leverage guidance and tools provided by AWS to protect your privacy. Our platform, company policies, and procedures are designed to protect your privacy using layers of defense.
Data availability and protection
The Hugo Platform encrypts data entering or leaving our infrastructure with TLS/HTTPS. All databases are encrypted at rest with AES-256 encryption. Access to data is protected by strong access and authentication controls. We maintain and routinely test our Business Continuity and Disaster Recovery program to provide a high level of access for you to your data, and appropriately protect your privacy.
Software development
We use a well-defined SDLC for developing the Hugo Platform. Our process includes design and testing requirements to review our work on the platform and to protect your privacy. We review and assess our development process on a regular basis to ensure we consistently improve the quality, functionality, and security of our platform.
Access control
We ensure that accounts on the platform and the accounts of our Hugo team members are reasonably validated to ensure identity is validated. We also ensure that all account privilege is tied to an individual’s need to perform their job role. All our access permissions are role-based. Hugo team member accounts are tightly controlled and audited on a regular basis.
Third-party management
The Hugo platform is delivered with the help of partners. These partners may provide services that help us deliver the Hugo platform to you. We review and audit any partner we use to ensure our partners meet our security and privacy standards. We will never share your data with our partners without your informed consent.
Security operations
We undergo annual penetration tests from third-party providers. We also perform regular system auditing of the Hugo platform. Our team also consistently reviews the Hugo platform to find and fix vulnerabilities on the Hugo Platform.
Physical security
The Hugo platform is built on AWS and is hosted in SOC 2-certified facilities proved by AWS. The Hugo Platform inherits the physical security and availability of provided by AWS. AWS provides Hugo Health with a highly available, and secure, hosting environment.
Audit and validation
We also have a robust validation and quality assurance process internally. Our audit and validation processes help us to certify and authorize changes and new features on the Hugo Platform before release. The Hugo platform also utilizes data integrity checks.
Workforce training
Our team plays a critical role in securing the Hugo platform. Our team participates in Security Awareness and job role-related security and privacy training. We believe a well-informed workforce is the cornerstone of protecting your data.
Compliance
Our Compliance team works to ensure Hugo Health complies with regulations and other business-related requirements. We’re regulated by the Federal Trade Commission (FTC) and follow requirements of State breach reporting laws. Additionally, the Hugo platform complies with the requirements outlined in 21 CFR Part 11 and the HIPAA security rule.
Governance
Hugo Health has a team member dedicated to managing our Privacy and Security programs. This team member also oversees our compliance and team member training, along with leading our approach to privacy, security, and compliance concerns. This team member holds numerous Privacy and Security focused certifications including CISSP-ISSMP, CISM, CIPP/US, CIPM, and CRISC.