Security Policy

Publication date: March 5, 2025.

The Security Policy regulates the procedure and methods for protecting the Data of the User.

The Security Policy describes protection systems, methods and techniques for ensuring the security of User Data.

The Security Policy describes special methods of data processing, such as encryption, pseudominimization, and ways to protect against DDos attacks.

A Security Policy was created to ensure that the Data Subject has the opportunity to familiarize itself with the storage of the Personal Data, granting access to Personal Data to Company employees, Company’s procedure in case of loss of Personal Data.

Please read the Privacy Policy for a more profound understanding of the security of Personal Data.

  1. DEFINITION
    1. User is any person who installs the App to receive Services for the purpose of monitoring their health.
    2. Personal Data is any information that is in the public domain, allowing you to directly or indirectly identify the User. For example, first name, last name, phone number, IP address.
    3. Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
    4. Data is a common name for Personal Data and Data concerning health
    5. Doctor is a qualified specialist in the field of medicine, who is chosen by the User to receive Services for diagnosing his health or monitoring his condition.
    6. DeHealth company (hereinafter referred to as the "Company" or "DeHealth") is a DEHEALTH TECHNOLOGIES, INC, registered at 1049 El Monte Avenue, Ste C #846,
Mountain View, CA 94040, United States, EIN: 36-5099713, which provides Services to Users.
    7. DeHealth application (hereinafter referred to as the "App") is a service created so that the User can check the state of his health and monitor the change in his health.
    8. Services an algorithm of actions carried out by the Company to provide the User with the opportunity to install the App to check the state of his health and monitor its condition by contacting a Doctor.
    9. Controller means a natural or legal person, government agency, institution or other body that independently determines the purposes and means of processing Personal Data.
    10. Processor means a natural or legal person, public authority, agency or other body processing Personal Data on behalf of and on behalf of the Controller.
    11. Password means a secret word or a certain sequence of symbols intended to confirm identity or its rights. Passwords are used to protect information from unauthorized access.
    12. Pseudonymization is the processing of Data as a result of which the Data cannot be identified without the use of additional information, provided that such additional information is stored separately and protected by technical and organizational means to exclude the association of Data with an identified or identifiable individual.
    13. Encryption is an algorithmic and reversible transformation of Data that is performed by a symbolic sequence in order to ensure their security.
    14. Server is specialized equipment that is designed to store information and service users and databases.
    15. Third Party means a natural or legal person, government agency, institution or body, other than the User or Company.
  2. GENERAL PROVISION
    1. By ensuring the security of Data we mean a set of actions aimed at preventing the disclosure and/or loss of Data.
    2. The Company ensures the security of Data relying on Art. 32 of the General Data Protection Regulation.
    3. In the event of a situation during which there is a possibility of loss of Data, we make every effort to avoid it.
    4. The Company uses measures such as Pseudonymization and Data Encryption.
    5. We make every effort to restore access to Data in the event of its disclosure and/or loss.
    6. The Company acts as the Controller during the processing of Data concerning health:
      1. DEHEALTH TECHNOLOGIES, INC
      2. Address:1049 El Monte Avenue, Ste C #846,
Mountain View, CA 94040, United States
      3. EIN: 36-5099713
  3. SCOPE OF APP
    1. The Security Policy applies exclusively to Data processed by the Company when providing access to the Services and paying for them.
    2. The Security Policy does not apply to Data that is not processed by the Company, including but not limited to accepting payment from the User for providing access to the Services.
  4. DATA SECURITY MEASURES
    1. The Company shall use the following Data security measures:
      1. information risk assessment;
      2. rules for working with Data;
      3. separation of employee/contractor access levels to Data;
      4. determination of a Data Processing Officer (DPO);
      5. regular testing of Data security;
      6. coordination between key Employees who have access to Data;
      7. rules for access to premises and equipment where Data is stored;
      8. performing periodic checks of Data security;
      9. use of antivirus software;
      10. use of security systems;
      11. control of physical access to Data;
      12. protection of Data using an authorization system;
      13. assigning a unique password to an employee to access Data;
      14. backup of Data;
      15. training and advanced training of employees who have the right to access Data;
      16. interaction with the Server.
    2. The Company identifies the following Data cybersecurity measures:
      1. system security - the security of our network and information systems, including those that process Data;
      2. data security - the security of the Data that we store on our Server;
      3. security systems - the security of Data, which is ensured with the help of special services, programs.
  5. PSEUDONIMISATION OF DATA
    1. Pseudonymisation does not allow identification of Data, but it allows it to be distinguished from other Data.
    2. Pseudonymisation allows identification of an employee or counterparty using online identifiers.
    3. Pseudonymisation of Data may reduce the risks of loss and/or disclosure of Data and help Controllers and Processors to fulfil their obligations to protect Data.
  6. ENCRYPTION OF DATA
    1. Company encrypts Data in accordance with Art. 32 of the General Data Protection Regulation.
    2. Company encrypts Data in the following way - Local storage of encrypted Data. In this case, Data is encrypted and already encrypted is stored on the Server.
    3. The Company uses the following software and methods for Encryption:
      1. SSL/TLS for Zipit encryption;
      2. Encryption disk on HealthLake;
      3. gRPC communication between the Company's services;
      4. Firebase for data storage;
      5. Firewall usage;
      6. using AES-256 to encrypt hard drives at rest:
      7. regular updating of SSL/TLS certificates for traffic encryption;
      8. use of services with authentication through OAuth 2.0;
      9. integration with deep logging via AWS CloudWatch to track changes and anomalous activity;
      10. multi-factor authentication (MFA).
    4. To ensure Data security, the Company uses segmented data storage in different AWS regions to increase stability and automatic backup to Amazon S3 with Data Encryption with regular software version updates.
    5. Data is stored in the cloud on digital media. Backups are encrypted and stored in AWS Glacier for long-term archival storage. Access to physical servers is restricted by AWS Glacier's physical security policy.
    6. Company encrypts Data both during their transmission and during their storage.
  7. DDoS PROTECTION
    1. The Company uses the maximum and most modern means of protection against DDoS attacks, minimizing the possibility of losing Data and lack of access to the Service.
    2. Uses the maximum and most modern methods of protection against DDoS attacks, minimizing the likelihood of losing Data.
    3. The Company uses the following types of protection against DDoS attacks:
      1. protection against all types of DDoS attacks (SYN Flood, UDP/ICMP Flood, HTTP/HTTPS attacks);
      2. secure IP address;
      3. Cloud Security with AWS Shield;
      4. filtering traffic through specialized equipment and software methods;
      5. use of Intrusion Prevention Systems (IPS) intrusion prevention systems;
      6. ensuring protection from the Company's Server;
      7. OpenSSL is used to encrypt data in transit.
    4. To provide additional protection against DDoS attacks, content delivery services, Internet security services, and distributed domain name server services. 
  8. DATA SECURITY BREACH
    1. A Data security breach means a breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Data. This includes breaches that result from both accidental and intentional causes.
    2. Нарушение безопасности Данных может включать:
      1. access by an unauthorized Third Party;
      2. intentional or accidental action (or inaction) of the Controller or Processor;
      3. sending Data to the wrong recipient;
      4. computer devices containing Data are lost or stolen;
      5. modification of Data without proper authorization;
      6. loss of access to Data.
    3. In the event of a Data security breach, we will take immediate action to eliminate it.
    4. In the event that a Data security breach could result in significant losses for the User, we will take all necessary measures to inform them as soon as possible.
    5. The Company documents all Data security breaches, regardless of the risk to Data security.
    6. In the event of a Data security breach, we will take measures in accordance with the Data Protection Guidelines under Art. 25 of the General Data Protection Regulation, in accordance with Regulation 2016/679.
  9. PROCEDURE IN THE EVENT OF A SECURITY BREACH OF DATA
    1. In case of unlawful disclosure and/or loss of Data, the Company takes the following steps:
      1. Immediately notifies the User of such breach;
      2. Takes all necessary measures to stop further disclosure;
      3. Performs security audits to prevent further leakage of Data;
      4. Takes actions to minimize the damage from such leakage of Data;
      5. Notification to the supervisory authority;
      6. Takes action to compensate for damage to the User.
    2. The Company trains its employees to perform an algorithm of actions in case of violation of the security of Data.
    3. The Company assesses and monitors the mitigation of damage from a Personal Data breach and ensures cooperation between employees and Users, and regularly reviews the Data breach response plan.
  10. NOTIFICATION OF A DATA BREACH TO THE SUPERVISORY AUTHORITY
    1. In the event of a Data security breach, the Controller or the Processor on behalf of the Controller shall, without undue delay and if possible no later than 72 hours after becoming aware of the breach, notify the competent supervisory authority of the breach, unless it does not result in any risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by an explanation of the reasons for the delay.
    2. The Controller or the Processor on behalf of the Controller shall notify the supervisory authority pursuant to Art. 33 of the General Data Protection Regulation.
    3. In the event of a Data security breach, the Controller or the Processor on behalf of the Controller shall notify the User of the breach without undue delay.
    4. Notification of a breach of User Data is not required in any of the following cases:
      1. The Controller or the Processor on behalf of the Controller has previously applied appropriate technical and organizational security measures to the Data that make it impossible for any person who is not authorized to access it to read it, such as encryption;
      2. The Controller or the Processor on behalf of the Controller has taken subsequent measures that do not represent a high risk to the rights and freedoms of the User;
      3. notification would require a disproportionate effort. In such a case, a public notification or similar action informing data subjects with equal effectiveness is taken instead.
    5. The Controller or the Processor on behalf of the Controller notifies the User in accordance with Art. 34 of the General Data Protection Regulation.
    6. Notification of a breach of User Data must:
      1. describe the nature of the breach of Data, including, where possible, the categories and approximate number of persons affected, as well as the categories and approximate amount of Data affected;
      2. contain the name and contact details of the data protection officer or other contact person from whom further information can be obtained;
      3. describe the possible consequences of a breach of Data security;
      4. describe the steps taken by the Controller or the Processor on behalf of the Controller to deal with the breach of personal data security, including, where appropriate, measures aimed at minimising its possible negative consequences.
  11. LIABILITY
    1. The Controller is liable for damage caused by a breach of Data security. The Processor is liable for damage caused by processing only if it has failed to comply with the requirements of the General Data Protection Regulation or if it has violated the lawful instructions of the Controller.
    2. The Controller and the Processor are liable in accordance with Art. 82 of the General Data Protection Regulation.
    3. The Company is liable in accordance with Art. 83 of the General Data Protection Regulation.
    4. The Company is liable for damage caused by a breach of Data security and undertakes to compensate for the damage caused.
    5. The Company shall not be liable in the following cases:
      1. If the breach of Data security occurred due to reasons beyond the Company's control and it could not prevent such a breach in any way.
      2. The breach of Data security occurred due to the User providing knowingly false Personal Data;
      3. The breach of Data security occurred due to the Doctor's actions that the Company could not control;
      4. If the Company disclosed the Data by order of any supervisory authority, court, law enforcement and/or government agency;
      5. If the disclosure and/or loss of the Data occurred as a result of force majeure, military action, emergency situations;
      6. If the disclosure and/or loss of the Data occurred as a result of the failure of the company that provided the data storage services (data center) to fulfill its obligations.
  12. CHANGING THE SECURITY POLICY
    1. The Company has the right to change the provisions of the Security Policy in case of changes in the methods and ways of ensuring the security of Data.
    2. If changes are made to the Security Policy, the Company trains its employees and adds new provisions to this Security Policy.
    3. The User is obliged to read the new terms of the Security Policy, and the Company is not responsible if the User has not read the new terms of the Security Policy.
    4. Digital or otherwise stored copies of the Security Policy are considered to be authentic, complete, valid and enforceable versions of this Security Policy in effect at the time the User visits the App. If the User uses the Services, after the date of updating the Security Policy, he agrees to the new rules for the storage of Data.
  13. CONTACTS
    1. The User has the right to contact the Company's support service at: [email protected] to ensure his rights, in accordance with the terms of this Security Policy, or in case of violation of his rights, or to leave feedback or ask a question.