We’re serious about security

At Videra Health, we prioritize the security and privacy of our customers’ personal and patient data. We understand the importance of building trust and maintaining the confidentiality, integrity, availability, security, and privacy of sensitive information. To ensure a robust security program, we have implemented the following measures:

We hold industry-standard certifications, including ISO 27001 and SOC 2 Type II. These certifications demonstrate our commitment to following best practices and adhering to stringent security standards.
Our infrastructure is built on a strong foundation of security.We leverage the AWS US regions with multiple availability zones (Multi-Az) model.
We take a proactive approach to security by conducting regular assessments and monitoring. We work with independent third-party agencies to perform annual penetration testing, ensuring the identification and mitigation of potential vulnerabilities.

HIPAA compliant and certified secure with SOC 2 Type II

Privacy is our priority

Establishing trust is central to good patient/provider relationships, so we don’t spare any effort in safeguarding the confidentiality and integrity of your patients’ information. We adhere to the highest security standards, including full compliance with HIPAA regulations. Beyond that, we ensure the safety of your data through a multi-layered approach that encompasses:

Robust data encryption at every stage

Continuous system monitoring

Stringent data access controls

Rigorous internal and external security testing

Comprehensive employee security training

Data Security

Videra prioritizes the security of its data, employing widely recognized industry-standard encryption methods and ciphers, such as AES-256 and TLS encryption, to safeguard data during transit and storage. Encryption keys are securely stored with restricted access, and advanced encryption techniques are applied across various layers of the application infrastructure, encompassing disk, application, and database encryption. Importantly, the sharing of encryption keys is strictly prohibited, with key management procedures subject to annual reviews to maintain effectiveness.

Videra offers its customers a range of features designed to enhance data security and provide control over access. These features are aligned with the principle of least privilege, ensuring that access is granted only as necessary. Customers are encouraged to configure two-factor authentication and seamlessly integrate their Federated Identity Provider via SAML. Videra supports industry-standard SAML 2.0 for Single Sign-on (SSO) and user authentication. Vigilant collection and continuous monitoring of security event and audit logs allow for the prompt identification and response to unusual activities.

For Videra employees’ access to information systems and resources, multi-factor authentication (MFA) is mandatory. Access is meticulously controlled through a centralized directory system, adhering to the principle of least privilege. The user-friendly Videra platform implements role-based access, providing a seamless experience for patients and providers alike.

The Videra platform is constructed on isolated, private networks within virtual private clouds (VPC). Security groups and firewalls are implemented to manage inbound and internal traffic, strictly limiting access to specific ports on a selected group of machines. The network undergoes continuous monitoring, covering traffic rates, sources, and types beyond ingress and firewalls. Customer data remains meticulously isolated using unique identifiers, ensuring that access to customer-specific information remains exclusive to the designated customer.

Customer data is retained for the necessary duration to comply with data classification and external requirements. Videra has established processes for the secure disposal of tangible property containing Customer Data, leveraging the latest technology to ensure that Customer Data cannot practically be read or reconstructed. If required, customer data can be deleted upon receiving a written request.

People security

Videra maintains strict adherence to established security procedures from onboarding to offboarding. Identity and Access Management (IAM) solutions allow Videra to standardize and automate these processes. Upon completion of a background check, new employees and contractors may also have confidentiality agreements and terms of acceptable use in place. Videra’s comprehensive security training program provides continued education to employees.

Our security policies are communicated internally and readily accessible to employees. In cases of policy violations, we follow a clear disciplinary and enforcement process to maintain the integrity of our security standards.

Secure development lifecycle (SDL)

Videra maintains a dedicated cross-functional team responsible for driving the Secure Development Lifecycle (SDL) in alignment with agile development principles. This team oversees the coordination, communication, refinement, development, and adherence to security controls within Videra’s processes. To ensure the rapid and secure delivery of high-quality products, Videra employs automated Security Testing to identify potential vulnerabilities within source code, dependencies, and underlying infrastructure before product releases.

Videra conducts in-depth analyses of project dependencies to identify vulnerabilities, applying strict scoring criteria that prevent the inclusion of vulnerable dependencies in products until resolved by Engineering teams.

Regular automated web application scans are conducted by Videra to proactively detect bugs, common exploits, and security vulnerabilities during the early stages of the development process. Automation significantly enhances the quality and security of Videra’s platform for its customers.

Videra performs comprehensive vulnerability assessments on all container images to identify any vulnerable software running within a given container. Stringent scoring criteria are applied to prevent the deployment of vulnerable containers until resolution by Engineering teams. A passing score is a prerequisite for deployment.

In adherence to industry best practices, Videra has established a set of baseline source code control standards to maintain proper hygiene within code repositories that support the platform. These standards are developed company-wide and are enforced through automation. Enforced standards encompass role-based access control, least privilege, code and repository ownership, segregation of duties, branch protections, and secrets management, among others.

Security monitoring & response

Videra’s security logs undergo collection, aggregation, and continuous monitoring, all while maintaining industry-standard log protection mechanisms to preserve log integrity.

Videra has firmly established security incident response procedures designed to guide actions in the event of any security breach. These procedures encompass roles and responsibilities, investigative steps, communication protocols, event logging, and remediation actions.

Data availability is safeguarded through the utilization of data replication and backup services provided by AWS. Scheduled data backups are performed at defined intervals and stored across multiple high availability zones.

In preparation for emergencies or adverse events that may jeopardize Customer Data or production systems containing Customer Data, Videra maintains comprehensive business continuity and disaster recovery plans and processes. These plans are geared toward swift response and recovery. Annually, data restore testing exercises are conducted using methodologies aligned with best practices and various scenarios. These tests provide Videra with the means to validate the integrity of backup data and ensure the achievement of recovery point and time objectives (RPO/RTO).

Videra works with third-party experts to conduct independent penetration tests on its applications, services, and overall business operations. These tests yield valuable insights that lead to continuous enhancements in product security and process reliability. These assessments are integral to Videra’s commitment to maintaining compliance with evolving security standards.

An executive summary, with sensitive information redacted, can be provided to customers under a non-disclosure agreement.

Videra Health’s security team would be happy to answer any additional security questions at: