Security is part of our DNA

As a healthcare technology provider, we take our responsibility to protect data and systems seriously. We're compliant with HIPAA and SOC-2 frameworks, and we enforce a comprehensive set of security policies and measures to ensure our client, member, and employee data stays safe.

Information security policies

Amino maintains and enforces a comprehensive set of security and privacy policies, including:
Check mark icon
Acceptable Usage
Check mark icon
Access Control
Check mark icon
Anti-Virus and Anti-Malware
Check mark icon
Authentication
Check mark icon
CMS QE Program Data Access and Usage
Check mark icon
Change Management
Check mark icon
Data Backup
Check mark icon
Data Classification and Management
Check mark icon
De-Identification of PHI
Check mark icon
Document Retention and Disposal
Check mark icon
Encryption
Check mark icon
Firewall Management
Check mark icon
Health Information Privacy
Check mark icon
Health Information Security Program
Check mark icon
Hiring, Onboarding, and Termination
Check mark icon
Incident Response
Check mark icon
Information Security, Integrity and Availability
Check mark icon
International Travel
Check mark icon
Logging, Monitoring, and Alerting
Check mark icon
Physical Security
Check mark icon
Risk Assessment and Management
Check mark icon
Screening and Background Checks
Check mark icon
Server Configuration
Check mark icon
Third Party Management
Check mark icon
Training
Check mark icon
Vulnerability Management
Check mark icon
Workforce Sanctions
Check mark icon
Workstation, Mobile Device, and Removable Media

Compliance frameworks

Our products and internal processes are designed with compliance in mind. We use the following compliance frameworks to evaluate and improve our approach: 

  • SOC 2: Amino passed an independent SOC 2 Type 1 audit in December 2020. We’re currently undergoing a SOC 2 Type 2 audit and expect to complete this work by the end of 2021.
  • HIPAA: We partner with attorneys, security consultants, and healthcare policy experts to ensure HIPAA compliance as a business associate, and provide a HIPAA privacy notice to our members. We undergo an annual third-party HIPAA risk assessment.

Application security measures

Check mark icon
Encryption
We use SSL Encryption to protect PII and PHI from unauthorized access. All communication between Amino members and our application is encrypted in transit, and databases / database backups are encrypted at rest.
Check mark icon
Data access
To protect our customers' data, Amino practices least-access principles. Customer data is only made available to approved employees with roles that require access to perform their primary job duties.
Check mark icon
Third-party vendors
Every third-party vendor used by Amino goes through a thorough internal risk assessment process. We sign business associate agreements (BAAs) with any vendors accessing sensitive client data.
Check mark icon
Pentesting and security scans
Amino conducts third-party pentests at least annually. In addition to regular pentesting, we also use dynamic and static scanning tools to monitor and detect vulnerabilities, and participate in a bug bounty program.
Check mark icon
Responsible disclosure and bug bounty program
If you believe you have discovered a vulnerability within Amino’s application, or if you would like to participate in Amino’s bug bounty program as hosted by HackerOne, please contact our Security Engineering team by emailing security@amino.com.
Back to top