Elemental Cognition (“EC”) recognizes that security and integrity of our platforms, applications and data are critically important. EC is committed to protecting information assets to satisfy our own business objectives and to meet the security requirements of our customers and partners.
Governance
- Information security is a key consideration for all projects.
- Information security is directed by a Chief Information Security Officer, with support from the CEO.
Defense in Depth
- Security is addressed at physical, technical, and operational layers.
- All systems run on highly-secure public cloud infrastructure.
- Infrastructure changes require multiple reviews & approvals.
- Network ingress and egress require explicit authorization.
- Strict separation of development, test, and production systems.
- Access to production is strictly limited, and access is logged.
- Least privilege access model requires explicit authorization.
- Extensive logging of user, system, and security events.
- Code and containers are scanned for security vulnerabilities.
- Periodic external security scans and penetration tests.
Privacy & Confidentiality
- Data is encrypted in flight and at rest.
- Data ownership is defined to the organization and user level.
- Sensitive data (PII, PHI etc.) is separated from other data and can be securely destroyed.
Compliance & Certifications
The EC security program has been developed to comply with rigorous legal and regulatory requirements including:
- SOC 2
- HIPAA
- PCI-DSS
- DoD RMF
- NIST-RMF