Skip to content

Information Security

Information Security Program

Huma AI maintains a robust Information security program which consists of policies, procedures, and controls to maintain the confidentiality, integrity and availability of information and information assets.

Compliance

Huma AI policies, procedures, and standards are in accordance with the SOC 2 Trust Service principles and criteria.
In addition, we hire an accredited third party to audit our compliance to the SSAE 18 SOC 2 standard on an annual basis.

Encryption and Logical Separation

The Cloud Service (AWS) stores content encrypted at rest. This is done leveraging enterprise grade encryption industry standards employed on the storage backend.
Communications between Customer’s endpoints and the Cloud Service (AWS) are encrypted in-transit with appropriate encryption standards for data in motion.
The Cloud Service (AWS) includes logical separation of data between customers. In all cases, Huma AI has implemented controls designed to prevent one customer from gaining unauthorized access to another customer’s data.

Huma AI Service Infrastructure Access Management

Least Privilege
Access to the systems and infrastructure that support the Cloud Service (AWS) is restricted to individuals who require such access as part of their job responsibilities.
Unique User Identification
Unique User IDs are assigned to such individuals as part of their hiring and onboarding process.
Password requirements:
The password policy for the Cloud Service adheres to Huma AI password requirements and is in accordance with industry standards, and best practices.
Access Reviews
Access reviews are performed on a periodic basis, Access privileges of terminated Huma AI personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.
Remote Access Review & Networking
Appropriate security measures and controls are utilized for remote administration points of access to the Cloud Service (AWS) production environment.
All access to the Cloud Service networks and sensitive information requires authentication and other access related security controls such as MFA and regularly rotated keys (KMS).

Vulnerability Management

Vulnerabilities that trigger alerts and have published exploits are reported to Security leadership, which determines and supervises appropriate remediation action.
Security Operations monitors or subscribes to trusted sources of vulnerability reports and threat intelligence.
Penetration tests by independent third parties are conducted at least annually. Detailed results from external penetration tests are not distributed or shared with anyone other than Huma AI employees with a need to know. Redacted summaries are available with appropriate non-disclosure agreements in place.

Secure Software Development

Huma AI Software Development Life Cycle (SDLC) framework is based on industry standards such as the OWASP, which ensures that secure design practices are integrated directly into the design and development process of the Huma AI systems

 

Secure Software Development

Huma AI maintains a risk management program based on industry guidance.
Huma AI conducts a risk assessment on an annual basis.
Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.

Security Training and Personnel

Huma AI maintains a security awareness program for Huma AI personnel, which provides initial education, ongoing awareness, and individual personnel acknowledgment of intent to comply with Huma AI’s corporate security policies.

New hires complete initial training on security, sign a proprietary information agreement, and digitally sign the information security policy that covers key aspects of the Huma AI information security policy.
All Huma AI personnel are required to satisfactorily complete security training annually.

Notification of Security Breach

Huma AI will notify customers in writing within seventy-two (72) hours of confirmed security breach. Notifications will summarize the known details of the Security Breach and the status of Huma AI’s investigation.
Huma AI will take appropriate actions to contain, investigate, and mitigate any such Security Breach.

Availability and Disaster Recovery

Huma AI maintains a Disaster Recovery Plan (DRP) for the Cloud Service. The DRP is tested annually.
Huma AI also maintains policies, procedures, and security controls to ensure the continuity of critical business functions in the event of a catastrophic event. This includes data center resiliency and data redundancy for the Huma AI Cloud service

Vulnerability Reporting

In accordance with reasonable disclosure, we continue to respond to submitted security issues and encourage anyone to report bugs on our platform. Activities that jeopardize the security of our platform is explicitly prohibited.

To submit a bug for review, please send an email to security@huma.ai