Skip to main content
Cerebrium is SOC 2 Type I, HIPAA-compliant, GDPR and ISO compliant, enforcing strict security standards and protocols. Compliance is continually monitored through Vanta and a dedicated team. Visit the trust center for compliance reports, or contact security@cerebrium.ai for additional information.

Infrastructure Security

  • Cerebrium frequently performs vulnerability scans, with remediation following the incident response plan timelines.
  • Cerebrium conducts annual business continuity and security incident exercises as required for SOC 2 compliance.
  • Cerebrium has daily database backups enabled.
  • Employee computers are frequently monitored via the Vanta agent.
  • Multi-Factor Authentication (MFA) is enforced across all platforms relating to Cerebrium.
  • Cerebrium uses logging and metrics observability providers, including Datadog and BugSnag.

Organizational Security

  • Cerebrium employees are subject to a general security awareness training during their onboarding period.
  • Cerebrium regularly audits employee access to internal systems.
  • Employee computers are frequently monitored via the Vanta agent.
  • Multi-Factor Authentication (MFA) is enforced across all platforms relating to Cerebrium.

Product Security

  • Cerebrium enforces HTTPS for all services using TLS (SSL), including the Cerebrium Dashboard and Python package.
  • Cerebrium maintains access logs across all its infrastructure services.
  • Software dependencies are audited by GitHub’s Dependabot.
  • User data is encrypted at rest.

Internal Security Procedures

  • Cerebrium performs regular vulnerability scans, with remediation following incident response plan timelines.
  • Cerebrium regularly audits employee access to internal systems.
  • Cerebrium conducts annual business continuity and security incident exercises as part of SOC 2 compliance requirements.

Data and Privacy

  • Cerebrium does not use customer data to train machine learning models.
  • For customers on the Hobby and Standard plans, request/log data is automatically deleted after 7 and 30 days, respectively.
  • Cerebrium deletes customer data upon request. A purge request endpoint is available for immediate deletion.
  • All user data is encrypted at rest.

HIPAA Compliance

As a business associate to covered entities in the healthcare sector, Cerebrium implements the following measures to support HIPAA compliance:

Business Associate Agreements (BAA)

  • Cerebrium offers a standardized BAA to all customers who require HIPAA compliance.
  • The BAA outlines the responsibilities and obligations of both parties in protecting Protected Health Information (PHI).
  • Customers can initiate the BAA process by contacting compliance@cerebrium.ai.

PHI Handling and Storage

  • Cerebrium’s infrastructure is designed to handle PHI securely, with encryption at rest and in transit.
  • Cerebrium does not access, use, or disclose PHI unless explicitly required for service delivery.
  • Customers are responsible for de-identifying PHI before transmission to Cerebrium’s systems, if de-identification is required for their use case.

Access Controls

  • Strict access controls are in place to ensure that only authorized personnel can access systems that may contain PHI.
  • Role-based access controls are used to limit access to PHI based on job responsibilities and the principle of least privilege.

Audit Logging

  • Comprehensive audit logs are maintained for all activities that could potentially involve PHI.
  • These logs are available to support customers’ accounting of disclosures requirements.

Breach Notification

  • Cerebrium maintains an incident response plan that includes HIPAA-compliant breach notification procedures.
  • Any potential breaches involving PHI are promptly investigated and reported to affected customers within required timeframes.

Employee Training

  • All Cerebrium employees undergo HIPAA awareness training as part of their onboarding process.
  • Regular refresher training is conducted to ensure ongoing HIPAA compliance.

Risk Assessments

  • Cerebrium conducts regular risk assessments to identify and address potential vulnerabilities in PHI handling.
  • These assessments help maintain a secure environment for customer data.

Subcontractors

  • Any subcontractors who may have access to PHI are required to sign a BAA and comply with the same HIPAA requirements as Cerebrium.

Data Retention and Destruction

  • Cerebrium adheres to HIPAA-compliant data retention policies.
  • Secure data destruction processes are in place for when PHI needs to be deleted or when a customer relationship ends.

Compliance Monitoring

  • HIPAA compliance measures are continuously monitored and updated to align with changes in regulations and best practices.
For more information on HIPAA compliance or specific compliance needs, contact the compliance team at compliance@cerebrium.ai.