Security at HumanTrue
Trust and transparency in AI for clinical trial operations
HumanTrue is a secure SaaS platform that uses AI models to understand clinical trial protocols and create new content. From the very beginning, the platform is designed to be secure and confidential for each customer.
Overview
At HumanTrue, security is foundational to everything we build. Our platform handles sensitive clinical trial data, and we take our responsibility to protect that data seriously. We maintain robust security controls, comply with industry standards, and continuously improve our security posture.
Compliance
SOC 2
HumanTrue is aligned with SOC 2 Type 1 standards, with our security controls designed to meet these requirements. Policy documents and audit reports are available upon request for customers who require them for their own compliance needs.
HIPAA Compliance
HumanTrue's platform does not collect or require Protected Health Information (PHI) or Personally Identifiable Information (PII) to operate. However, we have proactively designed our platform to comply with the Health Insurance Portability and Accountability Act (HIPAA), implementing appropriate administrative, physical, and technical safeguards. Business Associate Agreements (BAAs) are available for customers who require them.
Infrastructure Security
Encryption
- Data in Transit: All data transmitted to and from HumanTrue is encrypted using TLS 1.3 or higher
- Data at Rest: All stored data is encrypted using AES-256 encryption
Access Control
- Multi-factor authentication (MFA) required for all employee access
- Role-based access control (RBAC) with principle of least privilege
- Regular access reviews and automated deprovisioning
Infrastructure
- Cloud-hosted infrastructure with enterprise-grade security controls
- Network segmentation and firewall protection
- Comprehensive logging and monitoring
- Automated backups with point-in-time recovery
Secure Development
Our development practices prioritize security from design through deployment:
- Continuous integration and deployment (CI/CD) with automated security checks
- Peer code review required for all changes
- Automated dependency scanning and vulnerability detection
- Regular security training for all engineering team members
Vulnerability Management
We maintain an active vulnerability management program:
- Regular vulnerability scanning of our infrastructure and applications
- Annual penetration testing by independent third parties
- Defined SLAs for remediation based on severity (Critical: 7 days, High: 30 days, Medium: 90 days)
- Transparent disclosure process for reported vulnerabilities
Incident Response
We maintain a documented incident response plan that defines roles, responsibilities, and procedures for detecting, responding to, and recovering from security incidents. In the event of a breach involving PHI, we follow HIPAA breach notification requirements.
Report a Security Vulnerability
We welcome reports from security researchers and the broader community. If you believe you have discovered a security vulnerability in our platform, please report it to us.
What to Expect
- Acknowledgment: We will acknowledge receipt of your report within 2 business days
- Updates: We will provide transparent updates on our investigation and remediation timeline
- Coordinated Disclosure: We request that you allow us reasonable time to address the issue before public disclosure
Safe Harbor
We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations, data destruction, and service interruption
- Report vulnerabilities promptly
- Allow reasonable time for remediation before public disclosure
What to Include in Your Report
- Description of the vulnerability and potential impact
- Detailed steps to reproduce the issue
- Proof-of-concept code or screenshots (if applicable)
- Your contact information for follow-up questions
Contact
For general security inquiries or questions about our security practices, please contact us at security@humantrue.com.