Security Commitments

RadMiddle, Inc. operates the Horizon Care AI platform with the following security commitments to our pilot customers and future customers. These commitments are operationalized by controls audited annually under the SOC 2 framework (Trust Services Criteria: Security and Availability) and aligned with HIPAA Security Rule requirements for systems handling protected health information.

Identity and Access

• Defined and documented roles and responsibilities for information security across the platform.
• Principle of least privilege applied to identity and access management at the application, database, and infrastructure layers.
• Minimum password requirements and complexity enforced; two-factor authentication required where available.
• Password manager used to manage credentials and maintain credential complexity.
• Employees and contractors complete information security awareness training; new hires undergo background verification consistent with applicable law and the role's data access.

Data Protection

• All databases and storage volumes are encrypted at rest using industry-standard encryption.
• All data in transit between systems and between users and the platform is encrypted using transport layer security.
• Customer data is logically separated between organizations using database-level row-level security.

Infrastructure and Detection

• Production infrastructure is hosted on Amazon Web Services. Backup copies of critical data are replicated to a separate AWS region.
• Network intrusion detection, vulnerability scanning, and active threat monitoring run continuously against the production environment.
• Cloud-service activity is logged, retained, and reviewed.

Availability and Recovery

• The platform operates and maintains measures designed to maintain system availability.
• Backup procedures and a disaster recovery plan are documented and exercised at least annually to minimize disruption in the event of a disaster or similar event.

Incident Response and Vendor Management

• A documented process governs the detection, escalation, mitigation, and post-incident review of information security events.
• Vendor risk is evaluated before authorizing a new vendor and reviewed annually thereafter.
• An annual risk assessment is performed, including fraud-risk considerations.

Compliance and HIPAA

• Operate in alignment with the HIPAA Security Rule for systems handling protected health information. Business Associate Agreements are executed with subprocessors where required.

Contact

Security questions, incident reports, and general support: please use our contact form.