1. INTRODUCTION
At Mena Health GmbH, we take the security of your data and our platform seriously. This security overview outlines the measures we implement to protect your information and ensure the integrity of our healthcare AI platform.
Our security program is designed to comply with international standards including ISO 27001, GDPR, and HIPAA requirements where applicable. We employ a defense-in-depth approach combining technical, administrative, and physical security controls.
2. DATA PROTECTION AND ENCRYPTION
We employ industry-standard encryption protocols to protect data both in transit and at rest:
• All data in transit is encrypted using TLS 1.3 with perfect forward secrecy
• Data at rest is encrypted using AES-256 encryption
• Database connections use encrypted protocols with certificate-based authentication
• API communications are secured with OAuth 2.0 and JWT tokens
3. ACCESS CONTROLS AND AUTHENTICATION
We implement robust access control mechanisms to ensure only authorized personnel can access sensitive systems and data:
• Multi-factor authentication (MFA) required for all administrative access
• Role-based access control (RBAC) with least privilege principles
• Regular access reviews and automated deprovisioning
• Secure password policies with complexity requirements
4. INFRASTRUCTURE SECURITY
Our infrastructure is hosted on secure, compliant cloud platforms with multiple layers of protection:
• Web Application Firewall (WAF) protection against common attacks
• Distributed Denial of Service (DDoS) protection
• Regular security patching and vulnerability scanning
• 24/7 security monitoring and intrusion detection
5. COMPLIANCE AND CERTIFICATIONS
We maintain compliance with relevant international standards and regulations:
• ISO 27001 Information Security Management System certification
• GDPR compliance for EU data protection requirements
• Regular third-party security audits and penetration testing
6. INCIDENT RESPONSE AND BREACH NOTIFICATION
We have established incident response procedures to quickly identify, contain, and resolve security incidents:
• 24/7 Security Operations Center (SOC) monitoring
• Defined incident response playbooks for different scenarios
• Regular incident response training and simulations
• Compliance with breach notification requirements (72 hours where applicable)
7. THIRD-PARTY SECURITY
We carefully vet and monitor all third-party vendors and partners:
• Third-party risk assessments before vendor engagement
• Regular security reviews of vendor controls
• Data processing agreements with appropriate security clauses
• Continuous monitoring of vendor security posture
8. EMPLOYEE TRAINING AND AWARENESS
Our employees are our first line of defense against security threats:
• Mandatory annual security awareness training
• Regular phishing simulations and social engineering testing
• Role-specific security training for technical staff
• Clear security policies and procedures documentation