Nadia Care — Security & Trust
Our Commitment to Security
At Nadia Care, protecting sensitive information—especially Protected Health Information (PHI)—is a core priority. We maintain a comprehensive security program designed to safeguard data, ensure system reliability, and meet regulatory requirements. Our security program aligns with industry standards including HIPAA and SOC 2.
How We Protect Data
Secure Architecture
- PHI is accessed only within controlled, secure environments
- No PHI is stored on local or personal devices
- Data movement controls prevent unauthorized exfiltration
- All access is logged and monitored
Access Controls
- Role-based access (RBAC) and least privilege enforcement
- Mandatory Multi-Factor Authentication (MFA)
- Automated onboarding and offboarding
- Regular access reviews
Encryption
- Encryption at rest using industry-standard methods (e.g., AES-256)
- Encryption in transit using TLS 1.2+
- Secure key management practices
Monitoring & Detection
- Centralized logging and monitoring
- Automated alerting for suspicious activity
- Continuous threat detection
Data Backup & Business Continuity
- Automated, encrypted backups of critical systems and data
- Recovery Point Objective (RPO): ~4 hours
- Recovery Time Objective (RTO): ~6 hours
- Regular backup testing and restoration validation
- Geographically redundant and secure cloud-based infrastructure
Endpoint & Ransomware Protection
- Centrally managed endpoint protection (AV/EDR) across all devices
- Continuous malware detection and automated response
- Weekly automated scans and real-time monitoring
- Device encryption and security baselines enforced
- Restricted data movement between secure environments and local devices
Vulnerability Management & Security Testing
- Continuous vulnerability scanning of systems and infrastructure
- Quarterly internal and external security assessments
- Annual third-party penetration testing
- Risk-based remediation timelines:
Critical/High: ≤ 30 days
Medium: ≤ 60 days
Low: ≤ 90 days
Compliance & Governance
- HIPAA-aligned safeguards for PHI
- SOC 2-aligned security controls
- Vendor risk management and security reviews
- Business Associate Agreements (BAAs) with applicable partners
- Regular risk assessments and security testing
Data Residency
All customer data is stored and processed within the United States. We do not offshore PHI or sensitive data and maintain compliance with applicable U.S. healthcare data requirements.
Availability & Reliability
We design our systems for high availability and resilience, including redundancy and failover mechanisms. Service availability commitments, where applicable, are defined in customer agreements.
Incident Response
We maintain a formal incident response process to ensure rapid detection, containment, and remediation of security events. If a security incident occurs, we:
Investigate and contain the issue promptly
Perform root cause analysis
Implement corrective actions
Provide notifications as required by applicable regulations
Responsible Disclosure
Nadia Care welcomes reports of potential security vulnerabilities. If you believe you have identified a security issue, please contact us: security@nadiacare.com
Please include:
- Description of the issue
- Steps to reproduce
- Potential impact
Scope
In-scope systems include:
- Public-facing applications
- APIs and cloud infrastructure
Out-of-scope activities include:
- Social engineering
- Denial-of-service (DoS) testing
- Physical attacks
- Testing that could impact patient data or system availability
Our Commitment
- We will acknowledge reports within 3–5 business days
- We will investigate and remediate validated issues promptly
- We will not pursue legal action for good-faith security research
At this time, Nadia Care does not offer a monetary bug bounty program.