Data security @ MOAI Health
We take data security seriously. Our commitment to safeguarding your sensitive information begins with our implementation of robust security measures.
We employ state-of-the-art encryption, firewalls, and access logging systems to ensure that your health data remains protected at all times. Moreover, our dedication to data security extends to conducting regular risk assessments, allowing us to identify potential vulnerabilities and proactively mitigate risks. We believe in fostering a security culture within our organisation, where every member of our team is trained and committed to upholding the highest standards of data security. Your trust in us is paramount, and we are unwavering in our commitment to providing you with the utmost security for your health data.
MOAI Health adheres to a stringent compliance frameworks to ensure that your health data is handled with the utmost care. We are NCSC Cybersecurity Essentials Plus certified and our policies align with recognised frameworks published by the CQC and NHS Digital.
How we protect your data
We maintain continuous security monitoring and auditing processes. We collect and analyse application, infrastructure, and system logs to detect any anomalies or potential security breaches. These logs are stored and preserved in compliance with regulatory requirements to assist in case of a security incident. Our commitment to security doesn't stop at the door; it's a constant, proactive effort.
We understand that physical security is a critical aspect of health data protection. Our infrastructure is hosted on Google Cloud Platform (GCP), which offers secure data centre facilities and industry-leading physical security measures. We are a hybrid company and operate remotely and on physical premises.
Segregation of Health Data
To ensure the utmost protection for your health data, we employ segregation at multiple levels. Our multi-tenant architecture separates data at the tenant level, and we've established different Virtual Private Clouds (VPCs) for various environments, such as production and development. Furthermore, resources are segregated based on data type, ensuring that different types of health data remain separate.
Each of our environments is hosted within separate Virtual Private Clouds (VPCs) on Google Cloud Platform. Our production networks are meticulously separated between public and internal services, with strict controls in place to prevent unauthorised access.
Access control is a core aspect of health data security. We follow the principle of least privilege, ensuring that only authorised and trained individuals have access to health data. Secure connectivity along with multi-factor authentication is mandatory for accessing our resources. Our access control measures guarantee that employees can only access health data when necessary for their roles, adding an additional layer of protection to your sensitive information. Only a minimal number of authorised MOAI Health employees have access to individual-level data, and access is audited and monitored.
Security Policies and Awareness
Our comprehensive set of information security policies, aligned with ISO 27001 standards, guides our employees and contractors in making the right security decisions. We regularly update these policies to reflect the ever-evolving landscape of health data security. Additionally, we provide our team with security awareness training to ensure they stay informed and vigilant about health data protection.
Once your data enters our systems, we implement multiple layers of encryption and access controls to ensure its security. Data is encrypted in transit and at rest, using advanced encryption standards to maintain its confidentiality. Our workstations and devices are fully encrypted, guaranteeing the protection of the information they contain. Your health data is safe and secure throughout its entire lifecycle with MOAI Health.
We retain your data for as long as necessary to fulfil the purposes for which it was collected, in accordance with applicable laws and regulations. In compliance with GDPR and other data protection regulations, we are also prepared to keep certain data for indefinite periods as required by law. However, if you ever wish to have your data completely removed from our platform, we offer a straightforward data deletion process to accommodate your requests.
Information Security Incident Management
In the event of a security incident, our comprehensive incident response policies and procedures, compliant with GDPR, guide our actions. These procedures provide the necessary steps to address security incidents promptly and effectively, including initial response, investigation, and notification. We prioritise timely communication with both supervisory authorities and affected data subjects, ensuring transparency and compliance with data protection regulations.