H33 processes and protects health data with post-quantum cryptography. Every PHI field is encrypted with Kyber-1024, computed on with FHE, and audited with Dilithium-signed immutable logs.
Formal risk assessment, risk treatment plan, and continuous monitoring via Drata. SOC 2 Type II certified with 114+ controls.
Role-based access controls with hierarchical FHE permissions. Time-bounded grants with delegation and attenuation. All access logged.
Per-key access control lists for encrypted data. FHE permission levels: Read, Compute, Decrypt, Admin. No standing access to plaintext.
Annual security awareness program with phishing simulation, incident reporting procedures, and completion tracking.
Documented incident response plan with severity classification, notification timelines, and post-incident review. SNS alert integration for real-time notification.
Automated daily backups via AWS Backup with KMS encryption. Multi-AZ RDS deployment. Point-in-time recovery enabled on all production databases.
Unique user identification, emergency access procedures, automatic session timeout, and AES-256/Kyber-1024 encryption at rest for all PHI. FHE enables computation without decryption.
Immutable append-only audit logs with SHA3-256 chain hashing. Dedicated PHI audit log tracking field-level access. 7-year retention. Dilithium-signed compliance reports.
Tamper-evident audit chains — any modification breaks SHA3 chain integrity. CloudTrail with log file validation and KMS encryption. Database append-only constraints.
MFA on all infrastructure accounts. IAM password policy: 14-char minimum, 90-day rotation, 24-password history. IAM database authentication on RDS.
TLS 1.2/1.3 on all connections. Kyber-1024 + AES-256-GCM hybrid encryption for key transport. Post-quantum key encapsulation ensures harvest-now-decrypt-later resistance.
All 13 RDS instances KMS-encrypted. All 56 S3 buckets KMS-encrypted. EBS default encryption enabled. Backup encryption mandatory. Field-level Kyber-1024 for PHI via H33-Health.
Two active trails with log file validation, CloudWatch integration, and KMS encryption. All API calls logged across all regions.
Continuous threat detection with EC2, ECS, and EKS runtime monitoring. VPC flow log analysis, DNS query monitoring, and malware scanning.
Real-time alerting on root usage, unauthorized API calls, IAM changes, security group changes, NACL changes, VPC changes, and more.
All VPCs emit flow logs to CloudWatch. Default security groups locked down with no inbound or outbound rules.