Technical and Organizational Measures
This Technical and Organizational Measures (“TOM”) document covers the security and privacy controls for the Patient Interaction Suite by XUND.
With the Patient Interaction Suite, you identify possible causes for your symptoms using our database built from millions of medical publications powered by our artificial intelligence (AI). Based on self-reported data, XUND enables digital and automated interactions through relevant questions tailored to each stage in the patient journey. These features allow you to build customized health assistants for your patients.
This document provides a description of the main building blocks that contribute to the technical security and privacy of our Patient Interaction Suite and the organizational measures that surround the development and operation of the services. The target audience of the document is technicians and security and privacy experts who want to verify the details of the measures put in place by XUND.
2. Service Overview
Our Patient Interaction Suite consists of medical modules that cover the entire patient lifecycle and enable digital interactions from prevention to diagnosis and monitoring. It is a standalone software without any physical components or accessories that supports layman users by providing them with trustworthy medical information and preliminary symptom assessments in an intuitive and easy-to-understand way. By asking simple and short questions about the symptoms and profile of the user, XUND then provides a list of potential explanations and next steps. The Patient Interaction Suite can be integrated into any frontend with an internet connection via API, SDK, and Web App interfaces.
3. Service Architecture
The Patient Interaction Suite is a Software-as-a-Service (SaaS) solution running on a cloud provider in European data centers. The Suite is running in a containerized environment where the hosts are partially managed by the cloud provider and partially by XUND.
Additionally to the medical modules, there are also add-on services that among other things also allow the management of the client settings and easier integration of the patient-facing UI. These web components share the same architectural setup as the rest of the service. Settings applied in the Client Hub constitute as instructions in regard to the processing of personal data.
Personal data of patients is never consumed by the Patient Interaction Suite. For each patient interaction, a random check ID is generated that identifies questions and answers within a single session and produces a report. These check IDs are never mapped to any real profile information on the application backend. Therefore, data generated through the medical modules is legally not considered personal data, although it is protected to those standards on our servers.
4. Technical Controls
We employ industry-standard technical security controls appropriate to the nature and scope of the service, designed to safeguard the service infrastructure and data residing therein. The technical and organizational measures described here constitute the measures referenced in the Data Processing Agreement that is part of the Terms of Service.
4.1. Access Control
Logical access control procedures are in place, designed to prevent or mitigate the threat of unauthorized application access. Access for clients to the Patient Interaction Suite is provided based on API keys or pre-configured domain verification, whereas user authentication on client-facing UIs is done using a username and password combination with optional two-factor authentication. XUND employees are granted minimum (or “least privilege”) access to specified XUND systems, applications, and devices as needed. Further, user privileges are segregated based on functional role and environment.
4.2. Firewalls and Network Zones
XUND office networks and production networks are completely separated, with no VLAN connectivity between the two. Only required ports from application components are exposed within the service, and only containers containing the external proxies are exposed to the Internet.
4.3. Data Segregation
We leverage a multi-tenant architecture, logically separated at the database level, based on a user’s or organization’s account. Only authenticated parties are granted access to relevant accounts.
4.4. Physical Security
XUND leverages ISO27001-certified, European cloud providers with data centers providing physical security and environmental controls. These controls include:
- video surveillance and recording
- multi-factor authentication to highly sensitive areas
- heating, ventilation, and air conditioning temperature control
- fire suppression and smoke detectors
- uninterruptible power supply (“UPS”)
- continuous monitoring and alerting
- protections against common natural and man-made disasters, as required by the geography and location of the relevant data center
- scheduled maintenance and validation of all critical security and environmental controls
4.5. Business Continuity and Availability
The technical setup of the service allows dynamic scaling based on load and seamless handling of individual hardware errors. In case of data center failures, we can, within 1 business day, relocate the service to a different location and serve traffic from there.
There are daily full backups created of the complete database and kept within the same data center as well at a geographically distant location. Backups are encrypted at rest, and restoration capabilities are tested every 6 months.
4.6. Server Updates
Our core services run in containers based on minimal images that are updated with the latest security patches on every release. The few services that run in traditional virtual machines are continuously monitored for applicable security updates and patched depending on risk or at least receive full patching once a quarter.
XUND maintains a cryptographic standard that aligns with recommendations from industry groups, government publications, and other reputable standards groups. This standard is periodically reviewed, and selected technologies and ciphers may be updated in accordance with the assessed risk and market acceptance of new standards.
All network traffic flowing in and out of XUND server components, as well as in-between, is encrypted in transit.
4.8. Vulnerability Management
External system and network vulnerability scanning is conducted monthly. Static application vulnerability testing is run on every build, and penetration testing activities for targeted environments are performed periodically. These scanning and testing results are reported into network monitoring tools and, where appropriate, remediation action is taken.
4.9. Logging and Altering
XUND logs all API requests and application errors with associated context for debugging purposes. Logs are forwarded to a central repository and cannot be modified. Only selected employees have access to these logs. Any errors causing possible service interruption are monitored, and internal alerting notifies developers of the issue.
5. Organizational Controls
5.1. Policies and Procedures
XUND maintains a comprehensive set of security policies and procedures aligned with business goals, compliance programs, and overall corporate governance. These policies and procedures are periodically reviewed and updated as necessary to ensure ongoing compliance.
5.2. Standards Compliance
During the development and operation of the medical modules in the Patient Interaction Suite, we comply with applicable legal, data privacy, and regulatory requirements, and maintain compliance with the following certifications and external audit reports:
- ISO 27001:2013,
- ISO 13485:2016,
- Art 10 (9) of the Regulation (EU) 2017/745 on medical devices, classification class IIa.
5.3. Incident Management
XUND maintains a Business Continuity Plan defining response activities with associated timelines based on the results of a Business Impact Analysis. There are associated policies for incident management and critical incident response handling that define reporting lines and management responsibilities. Incident notification can originate from internal monitoring, internal email/phone reports, or external reports through firstname.lastname@example.org.
5.4. Application Security
The application security program at XUND is based on a formal Secure Development Process that defines minimally required security activities to be done before releases. The program is based on providing secure development training to all engineers and leveraging practices such as design and code reviews, threat modeling, static analysis, software composition analysis, and external vulnerability and application scans.
5.5. Personnel Security
Background checks to the extent admissible and proportionate to the role are being done for all new hires prior to employment. Employees need to go through a formal onboarding and offboarding process respective to their employment status, where records of completion are maintained internally. Access to systems is reviewed on a yearly basis, ensuring employees only have privileges in systems they actually need for their daily tasks.
5.6. Security Awareness and Employee Training
All new hires need to go through initial security awareness training and accept the company's internal playbook containing relevant security obligations. Yearly follow-up training and awareness exercises are held for all employees, and every two months, there is an internal employee newsletter containing relevant information on recent security threats. Engineers receive additional secure development training on an ongoing basis.
6. Use of Sub-Processors
As part of providing the service, we are using the services of vendors and service providers (collectively sub-processors) with whom it might share personal data as part of the services. XUND provides an up-to-date list of its sub-processors available on its website at xund.ai/sub-processor-disclosure. XUND will notify clients in case there are any changes in the list or the way sub-processors are involved in provisioning the service.
All sub-processors need to go through a defined vendor evaluation process before being introduced, including aspects of quality, security, and privacy. All sub-processors are regularly being re-evaluated to ensure the ongoing quality of the used services. All sub-processors need to have a signed statement of work, confidentiality agreement, and data processing agreement with provisions compatible with those signed by XUND towards its clients.
In selecting sub-processors, there is a large emphasis put on ensuring the high level of privacy of their services, as XUND commits itself to. Sub-processors are selected based on the privacy regulations applicable at the headquarters of the company, hosting locations leveraged, and additional technical and organizational privacy controls provided. Providers from countries without adequacy decisions from the European Commission are only used where appropriate further safeguards have been put in place.
7. Contacting XUND
Clients can contact us for privacy-related inquiries at email@example.com or through their respective Partnership Manager.
Version: November 2023