Information Security
Huma AI maintains a robust Information security program which consists of policies, procedures, and controls to maintain the confidentiality, integrity and availability of information and information assets.
Huma AI policies, procedures, and standards are in accordance with the SOC 2 Trust Service principles and criteria.
In addition, we hire an accredited third party to audit our compliance to the SSAE 18 SOC 2 standard on an annual basis.
The Cloud Service (AWS) stores content encrypted at rest. This is done leveraging enterprise grade encryption industry standards employed on the storage backend.
Communications between Customer’s endpoints and the Cloud Service (AWS) are encrypted in-transit with appropriate encryption standards for data in motion.
The Cloud Service (AWS) includes logical separation of data between customers. In all cases, Huma AI d/b/a Qoniq has implemented controls designed to prevent one customer from gaining unauthorized access to another customer’s data.
Least Privilege
Access to the systems and infrastructure that support the Cloud Service (AWS) is restricted to individuals who require such access as part of their job responsibilities.
Unique User Identification
Unique User IDs are assigned to such individuals as part of their hiring and onboarding process.
Password requirements
The password policy for the Cloud Service adheres to Huma AI d/b/a Qoniq password requirements and is in accordance with industry standards, and best practices.
Access Reviews
Access reviews are performed on a periodic basis, Access privileges of terminated Huma AI d/b/a Qoniq personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.
Remote Access Review & Networking
Appropriate security measures and controls are utilized for remote administration points of access to the Cloud Service (AWS) production environment.
All access to the Cloud Service networks and sensitive information requires authentication and other access related security controls such as MFA and regularly rotated keys (KMS).
Vulnerabilities that trigger alerts and have published exploits are reported to Security leadership, which determines and supervises appropriate remediation action.
Security Operations monitors or subscribes to trusted sources of vulnerability reports and threat intelligence.
Penetration tests by independent third parties are conducted at least annually. Detailed results from external penetration tests are not distributed or shared with anyone other than Huma AI d/b/a Qoniq employees with a need to know. Redacted summaries are available with appropriate non-disclosure agreements in place.
Huma AI d/b/a Qoniq Software Development Life Cycle (SDLC) framework is based on industry standards such as the OWASP, which ensures that secure design practices are integrated directly into the design and development process of the Huma AI d/b/a Qoniq systems.
Huma AI d/b/a Qoniq maintains a risk management program based on industry guidance.
Huma AI d/b/a Qoniq conducts a risk assessment on an annual basis.
Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.
Huma AI d/b/a Qoniq maintains a security awareness program for Huma AI personnel, which provides initial education, ongoing awareness, and individual personnel acknowledgment of intent to comply with Huma AI d/b/a Qoniq’s corporate security policies.
New hires complete initial training on security, sign a proprietary information agreement, and digitally sign the information security policy that covers key aspects of the Huma AI d/b/a Qoniq information security policy.
All Huma AI d/b/a Qoniq personnel are required to satisfactorily complete security training annually.
Huma AI d/b/a Qoniq will notify customers in writing within seventy-two (72) hours of confirmed security breach. Notifications will summarize the known details of the Security Breach and the status of Huma AI d/b/a Qoniq’s investigation.
Huma AI d/b/a Qoniq will take appropriate actions to contain, investigate, and mitigate any such Security Breach.
Huma AI d/b/a Qoniq maintains a Disaster Recovery Plan (DRP) for the Cloud Service. The DRP is tested annually.
Huma AI d/b/a Qoniq also maintains policies, procedures, and security controls to ensure the continuity of critical business functions in the event of a catastrophic event. This includes data center resiliency and data redundancy for the Huma AI d/b/a Qoniq Cloud service
In accordance with reasonable disclosure, we continue to respond to submitted security issues and encourage anyone to report bugs on our platform. Activities that jeopardize the security of our platform is explicitly prohibited.
To submit a bug for review, please send an email to [email protected]