Identity and Access Management
· InfoSec
Does your product support Multi-Factor Authentication (MFA) for customer users when logging into your system?
Remediated
Answer: Yes
NEDOCS supports multi-factor authentication for all customer accounts, with two methods. The default method emails a 6-digit one-time code to the account email address (which is also the username); the alternative is an app-based TOTP (RFC 6238) authenticator (Google/Microsoft Authenticator, 1Password, Authy) enrolled by scanning a QR code. After a correct password the user is challenged for the code before a session is established. Email codes expire in 10 minutes and are stored only as SHA-256 hashes; TOTP secrets are encrypted at rest. MFA can additionally be mandated for privileged roles via configuration.
NIST CSF V1.1: PR.AC-1, PR.AC-4, PR.AC-6
NIST CSF V2.0: PR.AA-01, PR.AA-02, PR.AA-05
Evidence →
Does your product support Single Sign-On (SSO), such as SAML or OIDC, for customer users logging into your system?
Planned
Answer: No
SAML/OIDC SSO is on the roadmap. In the interim, password policy and MFA have been strengthened: minimum 8 characters with upper/lower/number complexity, TOTP MFA, brute-force lockout, and forced password change on reset.
NIST CSF V2.0: PR.AA-01, PR.AA-03
What password complexity configurations and settings are available?
Implemented
Answer: Minimum 8 characters requiring at least one uppercase letter, one lowercase letter, and one number.
Enforced centrally on account creation, password reset, and password change (config.security.minPasswordLength; validatePassword). Length is configurable per deployment.
NIST CSF V1.1: PR.AC-6
NIST CSF V2.0: PR.AA-02
Evidence →
Is there lockout for failed login attempts? What are the lockout settings?
Implemented
Answer: Yes — accounts lock after 10 consecutive failed attempts for 15 minutes (both configurable).
AccessFailedCount is incremented on each failed sign-in; on reaching the threshold LockoutEnd is set and further attempts are refused until it elapses. A successful sign-in resets the counter.
NIST CSF V1.1: PR.AC-6
NIST CSF V2.0: PR.AA-02
Does your system/service support role-based access controls/rights that may be applied to customer accounts?
Implemented
Answer: Yes
Role-based access control (Administrator, NEDOCS, manager, User) is enforced by middleware on every protected route. Hospital-scoped data isolation ensures users only see their own organization's data (least privilege).
NIST CSF V1.1: PR.AC-1, PR.AC-4, PR.AC-6
NIST CSF V2.0: PR.AA-02, PR.AA-05
Is the principle of least privilege applied when provisioning customer accounts?
Implemented
Answer: Yes
Accounts receive only the roles required for their job function; hospital data is logically segregated per tenant.
NIST CSF V2.0: PR.AA-01, PR.AA-02, PR.AA-05
Does your application force a timeout for inactivity? Is the timeout customer-configurable?
Implemented
Answer: Yes — a 30-minute idle timeout is enforced and is customer-configurable.
Authenticated sessions are invalidated after 30 minutes of inactivity (SESSION_IDLE_TIMEOUT_MINUTES). Session cookies are HTTP-only, SameSite=Lax, and Secure in production, with an 8-hour absolute lifetime.
NIST CSF V2.0: PR.AA-05
Does your product implement restrictions on concurrent user sessions and detect unauthorized access?
Implemented
Answer: Yes — server-side session store with per-user session tracking; policy prohibits shared/generic accounts.
Sessions are stored server-side in MongoDB; the acceptable-use policy prohibits generic/group email accounts as primary account identities.
NIST CSF V2.0: DE.CM-03
Cryptographic Controls
· InfoSec
Does your product/service encrypt data at rest?
Remediated
Answer: Yes
Data is encrypted at rest at two layers: (1) application-layer field encryption using AES-256-GCM for sensitive fields (MFA/TOTP secrets, phone numbers, one-time verification codes), keyed by a 256-bit data key (DATA_ENCRYPTION_KEY); and (2) full-volume/database encryption provided by the hosting tier. Password material is stored only as PBKDF2-HMAC-SHA256 hashes (100k iterations); reset tokens as SHA-256 digests.
HIPAA Security § 164.312(a)(2)(iv)
NIST CSF V1.1: PR.DS-1
NIST CSF V2.0: PR.DS-01
Evidence →
Does your product/service encrypt data in transit? Do you use TLS 1.2 or later?
Implemented
Answer: Yes — TLS 1.2+ for all web and API traffic.
All traffic is served over HTTPS/TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enabled in production. HL7/EHR ingestion requires TLS 1.2+.
HIPAA Security § 164.312(a)(2)(iv)
NIST CSF V1.1: PR.DS-2
NIST CSF V2.0: PR.DS-02
Is your organization responsible for managing encryption keys for this product/service?
Implemented
Answer: Yes
Application data keys are provisioned via secrets management (environment-injected, never committed) and rotated per policy. Hosting-tier keys are managed by the cloud provider's KMS. Guidance follows NIST SP 800-57.
NIST SP 800-57 Part 1 Rev. 5
Is AI training/inference data encrypted at rest using industry-standard encryption (e.g., AES-256)?
Implemented
Answer: Yes — AES-256 at rest; TLS 1.2+ in transit.
AI features send de-identified/synthetic operational inputs only; any retained data is encrypted with AES-256 at rest and TLS 1.2+ in transit.
NIST AI RMF: MAP 4.1
Application Security
· InfoSec
Can you provide a data flow diagram showing the relationships of principal parts/functions and the flow of data and communications?
Remediated
Answer: Yes
A system architecture and data-flow diagram is published on the Trust Center. It shows browser/EHR clients, the TLS boundary, the Express application tier, network segmentation between the public marketing site and the authenticated app, the MongoDB data tier with encryption at rest, and the external LLM inference boundary (de-identified inputs only).
NIST CSF V1.1: DE.AE-1
NIST CSF V2.0: ID.AM-03
Evidence →
Do you incorporate security (controls, processes, training) as part of your Software Development Lifecycle (SDLC)?
Implemented
Answer: Yes
Security is embedded in the SDLC: peer code review, automated code scanning before production, dependency review, staged test-before-production deployment, and rollback procedures via the change-management process.
NIST CSF V1.1: PR.IP-2
NIST CSF V2.0: PR.PS-06
Do you implement controls to ensure data accuracy, such as integrity checks, input and data validation?
Implemented
Answer: Yes — integrity constraints, access controls, input validation, and data validation.
Server-side input validation, parameterized database access, output encoding in templates, and CSRF-resistant session cookies (SameSite).
NIST CSF V1.1: PR.DS-6
NIST CSF V2.0: PR.DS-01
Does the solution exclude confidential information from URLs (e.g., date of birth, medical record number, account number)?
Implemented
Answer: Yes
Sensitive identifiers are never placed in URLs; the evaluation tier processes no PHI.
Is your product/service scanned by a dynamic application security scanning (DAST) tool while in production?
In Progress
Answer: In progress
Static analysis and automated code scanning run pre-production today (compensating control). A continuous DAST capability against the production surface is being onboarded.
NIST CSF V1.1: DE.CM-8
NIST CSF V2.0: ID.RA-01
Do you provide APIs for your product/service? Describe the security model and controls.
Implemented
Answer: Yes — REST + HL7 ingest APIs authenticated by per-hospital API keys (Bearer/X-API-Key), TLS 1.2+.
Documented OpenAPI 3.1 spec at /api/openapi.json. Each hospital is issued a scoped API key; keys are managed in Settings and can be rotated/revoked. PHI is not persisted — only synthesized flow metrics.
Event Logging
· InfoSec
Which event log details are captured by your product or service? (Select all that apply)
Implemented
Answer: Success/failure of the event, event source, event date/timestamp, where the event occurred, identity of the user/subject, and event type.
Server-side request logging, authentication events (including MFA and lockout), agreement-acceptance audit records, and HL7 ingestion events are captured with source, timestamp, actor, and outcome.
NIST CSF V1.1: PR.PT-1, DE.AE-3
NIST CSF V2.0: DE.AE-03, PR.PS-04
Does your organization validate that logs are not tampered with? What controls are in place?
Implemented
Answer: Yes — append-only audit collections and immutable agreement-acceptance records; SIEM-forwardable.
Agreement-acceptance records (timestamp, user, IP, user-agent, version) are stored in an immutable audit collection. Logs can be forwarded to a customer SIEM.
NIST CSF V1.1: PR.PT-1
NIST CSF V2.0: PR.PS-04
How long does the product/service retain user activity and system logs?
Implemented
Answer: User activity logs: at least 1 year. System logs: 1 year or more.
NIST CSF V2.0: PR.PS-04
Data Security Management
· InfoSec
Where is your primary and backup data center located for US-based customers?
Implemented
Answer: Within the United States (Los Angeles, California; distributed/redundant backup within the US).
NIST CSF V1.1: PR.IP-5
NIST CSF V2.0: PR.IR-02
Is each customer's data physically or logically segregated from other customers' data?
Implemented
Answer: Logically segregated (per-hospital tenancy and access scoping).
Is any production data used in non-production environments?
Implemented
Answer: No — non-production uses synthetic/de-identified data.
Does your data destruction process follow NIST SP 800-88: Guidelines for Media Sanitization?
Implemented
Answer: Yes
NIST SP 800-88
Does the organization protect customer data with a data loss prevention (DLP) solution and monitor for suspicious activity?
In Progress
Answer: In progress
Compensating controls in place today: least-privilege access, encryption at rest and in transit, egress restrictions, and monitoring/alerting on the hosted environment. A dedicated DLP tool is being evaluated.
Threat / Vulnerability Management
· InfoSec
Has a third party conducted a penetration test on your product or service within the last year?
Planned
Answer: Scheduled
An independent third-party penetration test is scheduled. Compensating controls today: internally conducted testing, automated vulnerability scanning, and pre-production code scanning. Results will be available to customers under NDA.
NIST CSF V1.1: ID.RA-1, ID.RA-2, ID.RA-3, ID.RA-5, DE.CM-8
NIST CSF V2.0: ID.RA-01, ID.RA-02, ID.RA-03, ID.RA-05
What is your policy for remediation of critical vulnerabilities (CVSS 9-10) and non-critical (<9)?
Implemented
Answer: Critical (CVSS 9-10): within 24 hours. Non-critical (<9): within 30 days.
NIST CSF V2.0: ID.RA-01
Do you perform vulnerability scans of your product/service? How often?
Implemented
Answer: Yes — continuous/automated dependency and vulnerability scanning.
NIST CSF V1.1: PR.IP-12, DE.CM-8
NIST CSF V2.0: ID.RA-01
Is the operating environment protected by a firewall, WAF, IDS/IPS, and monitored for suspicious activity?
Implemented
Answer: Yes — firewall, web application firewall, and IDS/IPS protect the hosted environment.
NIST CSF V1.1: PR.PT-4
NIST CSF V2.0: PR.IR-01
Do you provide a capability for users/researchers to report security vulnerabilities?
Implemented
Answer: Yes — security contact published on the Trust Center and Compliance page.
Updates / Change Management
· InfoSec
Do you follow a documented change/release management process with approvals and rollback?
Implemented
Answer: Yes
Changes are peer-reviewed, validated in a test environment before production, deployed via a documented process, and support rollback. Unauthorized changes are detectable via version control and deployment controls.
NIST CSF V1.1: PR.IP-3, PR.MA-1
NIST CSF V2.0: ID.AM-08, ID.RA-07, PR.PS-01
Is your code scanned by an automated code scanning tool before being put into production?
Implemented
Answer: Yes
AI-assisted and automated code scanning run before production; AI-generated code is reviewed and validated against secure-development standards.
NIST CSF V1.1: DE.CM-4, DE.CM-5, DE.CM-8
NIST CSF V2.0: DE.CM-09, ID.RA-01
Security Compliance
· InfoSec
In the past year, has your organization completed a SOC 2 Type 2 control report?
Remediated
Answer: Yes, within the past year
I AM GRACE INC. has completed a SOC 2 Type II examination of the NEDOCS service covering Security, Availability, and Confidentiality Trust Services Criteria. The report attests that controls were suitably designed and operated effectively throughout the examination period. Available to qualified customers and assessors under NDA on request.
Which cybersecurity standards, frameworks, or best practices are leveraged? (Select all that apply)
Implemented
Answer: HIPAA Security, NIST (CSF v2.0 / SP 800 series), SOC 2, CIS Critical Security Controls.
NIST CSF V2.0
HIPAA Security Rule
SOC 2
CIS Controls
Does your organization review and verify compliance with applicable legal/regulatory requirements at least annually?
Implemented
Answer: Yes
NIST CSF V1.1: ID.GV-3, PR.IP-5
NIST CSF V2.0: GV.OC-03, PR.IR-02
Legal / Regulatory
· Vendor-GRC
Is your organization a Business Associate (BA) as defined by HIPAA?
Informational
Answer: Yes, when a BAA is executed — NEDOCS is HIPAA business-associate ready.
Clarification: NEDOCS is designed as a HIPAA business-associate-ready service. The self-serve evaluation tier operates without PHI (attested at signup and re-acceptance). When a hospital moves to production use with PHI, I AM GRACE INC. executes a Business Associate Agreement and acts as a Business Associate under 45 CFR 160.103. Data-input sensitivity and the no-PHI evaluation boundary are documented in the Compliance page and Privacy Policy.
45 CFR 160.103
NIST CSF V2.0: GV.OC-01, GV.OC-03, GV.OC-05
Evidence →
Does your organization require NDAs or confidentiality agreements with third-party vendors when confidential, sensitive, or PII will be disclosed?
Remediated
Answer: Yes
Material sub-processors and vendors that may access confidential or personal data are bound by written confidentiality and data-protection agreements; where PHI is in scope, business-associate or equivalent contractual protections apply. Employees also sign confidentiality agreements as a condition of employment.
NIST CSF V1.1: ID.SC-3
NIST CSF V2.0: GV.SC-05
Evidence →
Is your company's headquarters located within the United States?
Implemented
Answer: Yes — Century City, California, USA.
NIST CSF V2.0: PR.IR-02
Is your organization required to be compliant with the EU GDPR?
Informational
Answer: Addressed — the Privacy Policy covers GDPR/UK GDPR rights and transfer safeguards.
Operational Resilience
· Resiliency
Does your organization have documented, communicated business continuity and disaster recovery plans, tested at least annually?
Implemented
Answer: Yes — BCP and DR plans are documented, communicated, and tested at least annually.
NIST CSF V2.0: GV.OC-04, ID.IM-02, ID.IM-04, PR.IR-03, RC.RP-01
How often are backups taken, are they encrypted, and where are they stored?
Implemented
Answer: At least daily, encrypted, stored in distributed US locations; recovery tested at least annually.
NIST CSF V1.1: PR.IP-4, PR.DS-2
NIST CSF V2.0: PR.DS-11, PR.DS-02
What are the Recovery Point Objective (RPO) and Recovery Time Objective (RTO)?
Implemented
Answer: RPO: 2 hours or less. RTO: 4 hours or less.
What availability percentage is specified in your SLA? Is support available 24x7?
Implemented
Answer: ≥ 99.9% availability target; 24x7 monitoring of uptime/availability.
Incident Response Management
· Vendor-Operational
Does your organization have a formal security incident management and response plan documenting activities, procedures, and roles?
Implemented
Answer: Yes
Incidents are triaged by severity with defined escalation paths; incident logs are stored separately from application databases.
NIST CSF V2.0: RS.MA-01, RS.MA-02, RS.CO-02, RS.CO-03
Does your organization have a documented process for notifying customers of incidents, and how quickly?
Implemented
Answer: Yes — customers are notified in less than 24 hours via email/support portal; PHI breaches per 45 CFR §164.410.
HIPAA Breach Notification Rule §164.410
NIST CSF V2.0: RS.CO-03, RC.CO-03
Evidence →
AI Use & Model Governance
· Artificial Intelligence (AI)
Did you mitigate OWASP LLM Top 10 risks during the development of your AI model?
Compensating Control
Answer: Yes (compensating controls) — OWASP LLM Top 10 risks are addressed for our AI-assisted features.
NEDOCS does not train foundation models. AI-assisted features (shift-debrief summarization, forecasting) call a third-party LLM (Anthropic) under enterprise controls with a contractual no-training commitment. OWASP LLM Top 10 mitigations in place: prompt/response handling to limit prompt injection, no PHI/PII sent in the evaluation tier (input minimization/de-identification), output is advisory only (human-in-the-loop; no automated clinical decisions), least-privilege API keys, rate limiting, and monitoring. Model inputs/outputs are treated as untrusted and validated.
OWASP LLM Top 10
NIST AI RMF: GOVERN 1.1, MAP 4
Evidence →
Does your organization use customer data to train or retrain AI models? Is it anonymized?
Implemented
Answer: No customer PHI/PII is used to train foundation models; any RAG/analytics inputs are anonymized/de-identified.
External LLM providers are contractually prohibited from training on NEDOCS inputs/outputs.
NIST AI RMF: MAP 4.1
Are RBAC and MFA enforced to restrict access to AI training/inference data, with monitoring?
Implemented
Answer: Yes — RBAC + MFA, encryption at rest/in transit, logical segmentation, and monitoring for anomalies.
NIST AI RMF: MAP 4
No questions match your filter.