SECURITY POLICY

Publication date: March 5, 2025.

The Security Policy regulates the procedure and methods for protecting the Data of the User.

The Security Policy describes protection systems, methods and techniques for ensuring the security of User Data.

The Security Policy describes special methods of data processing, such as encryption, pseudominimization, and ways to protect against DDos attacks.

A Security Policy was created to ensure that the Data Subject has the opportunity to familiarize itself with the storage of the Personal Data, granting access to Personal Data to Company employees, Company’s procedure in case of loss of Personal Data.

Please read the Privacy Policy for a more profound understanding of the security of Personal Data.

1. DEFINITION 
   1. User is any person who installs the App to receive Services for the purpose of monitoring their health.
   2. Personal Data is any information that is in the public domain, allowing you to directly or indirectly identify the User. For example, first name, last name, phone number, IP address.
   3. Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
   4. Data is a common name for Personal Data and Data concerning health
   5. DeHealth company (hereinafter referred to as the "Company" or "DeHealth") is a DEHEALTH TECHNOLOGIES, INC, registered at 1049 El Monte Avenue, Ste C #846,
Mountain View, CA 94040, United States, EIN: 36-5099713, which provides Services to Users.
   6. DeHealth application (hereinafter referred to as the "App") is a service created so that the User can check the state of his health and monitor the change in his health.
   7. Services an algorithm of actions carried out by the Company to provide the User with the opportunity to install the App to check the state of his health and monitor its condition by contacting a Doctor.
   8. Disaster is any disruptive or catastrophic event (e.g., power outage, weather, natural disaster, vandalism) that causes an interruption in technology relating to Data, databases, systems, archived data and other resources provided by the Company. 
   9. Emergency means sudden, urgent, usually unexpected occurrence or occasion requiring immediate action.
   10. Pseudonymization is the processing of Data as a result of which the Data cannot be identified without the use of additional information, provided that such additional information is stored separately and protected by technical and organizational means to exclude the association of Data with an identified or identifiable individual.
   11. Encryption is an algorithmic and reversible transformation of Data that is performed by a symbolic sequence in order to ensure their security.
   12. Server is specialized equipment that is designed to store information and service users and databases.
   13. Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets rules about who can see and receive medical information.
2. GENERAL PROVISION
   1. By ensuring the security of Data we mean a set of actions aimed at preventing the disclosure and/or loss of Data.
   2. In the event of a situation during which there is a possibility of loss of Data, we make every effort to avoid it.
   3. The Company uses measures such as Pseudonymization and Data Encryption.
   4. We make every effort to restore access to Data in the event of its disclosure and/or loss.
   5. The Company uses MySQL relational databases to store Data. Data is protected with regular backups and controlled access.
3. SCOPE OF APP
   1. The Security Policy applies exclusively to Data processed by the Company when providing access to the Services and paying for them.
   2. The Security Policy does not apply to Data that is not processed by the Company, including but not limited to accepting payment from the User for providing access to the Services.
4. AUTHENTICATION & PASSWORD MANAGEMENT
   1. Company implements unique user IDs that are different from the Company’s email address. Password guidelines, which incorporate best practices from the latest National Institute of Standards and Technology (NIST) guidelines (set forth in NIST SP 800- 63B) are set forth below, and used by Company:
      1. Passwords must be at least eight (8) characters long, with a maximum length of 64 characters. 
      2. The Company and its Employees must be able to use all special characters. The Company does not require the use of special characters. However, passwords must be limited as follows:
         1. Use of sequential and repetitive characters (i.e., 12345 or aaaaa) shall be restricted. 
         2. Use of context-specific passwords shall be restricted. 
         3. Use of commonly used passwords (i.e., p@ssw0rd, etc.) shall be restricted. 
         4. Passwords obtained from previous security breaches shall not be used.
      3. Password protection requirements for Users:
         1. Never reveal a password over the phone to anyone;
         2. Never reveal a password in an email message; 
         3. Never reveal a password to your supervisor; 
         4. Never talk about a password in front of others; 
         5. Never hint at the format of a password (i.e., "my family name"); 
         6. Never reveal a password on questionnaires or security forms;
         7.  Never share a password with family members; 
         8.  Never reveal a password to co-workers; 
         9.  Never write down your password; instead, memorize it;
         10.  Never keep a list of User IDs and passwords in your office; 
         11. Never misrepresent yourself by using another person’s User ID and password.
   2. Industry standard protocols will be used on all routers and switches used in the Wide Area Network (WAN) and the Local Area Networks (LANs) of the Company. Authentication types can include:
      1. Unique ID and passwords; 
      2. Telephone callback; 
      3. A token system that uses a physical device for User identification; 
      4. Two forms of authentication for wireless remote access; 
      5. Information systems used to access Data concerning health use technology such as digital certificates, to identify and authenticate connections to specific devices involved in system communications.
   3. Company Team(s) Responsibilities for Network Employee ID Creation:
      1. System administrators shall provide the password for a new unique User ID to only the Employee whom the new ID is assigned. 
      2. Users may at times request that their password be reset. System administrators shall verify the identity of the Employee requesting a password reset or verify that the person making the request is authorized to request a password reset for another. 
   4. Employees undergo annual cybersecurity certification and adhere to NIST policies on restricting access to Data. Each employee signs a non-disclosure agreement (NDA) and a cybersecurity compliance obligation.
5. FACILITY ACCESS CONTROLS
   1. Company is reasonable for safeguarding Data concerning health from any intentional or unintentional use or disclosure. Company is implementing physical safeguards to protect its facilities where Data concerning health can be accessed. Such safeguards shall maintain the confidentiality, integrity, and availability of Data concerning health.
   2. Company is safeguarding its facilities and the equipment therein from unauthorized physical access, tampering, and theft. Company's security officer(s) shall annually audit Company’s facilities to ensure Data concerning health safeguards are continuously being maintained.
   3. One or more of the following implemented for all sites that access Data concerning health:
      1. Visitor Access Control: In facilities where Data concerning health is available, all visitors shall be escorted and monitored. Each facility shall implement its own procedures that govern visitor access controls. These procedures may vary depending on the facilities structure, the type of visitors, and where the Data concerning health is accessible.
      2. Network Closet(s): Every network closet shall be locked whenever the room is unoccupied or not in use. Company is documenting who has access to the network closets and periodically change the locking mechanisms. 
   4. The Company documents written procedures for its facility security plan. The procedures are written to meet the unique requirements of each facility. An important part of compliance is documenting and implementing processes to ensure that the security measures in the facility security plan are maintained.
   5. The Security Policy covers specific requirements for:
      1. Employees who work in other facilities.
      2. Employees who work from home or other non-office sites.
      3. Password protection of Employees member personal computers.
      4. Security for all other forms of portable Data concerning health, such as locking up CD/DVD ROM Disks, floppy disks, USB drives, PDAs, and laptops.
      5. Automatic, time-based User session-lock when a computer or workstation is left idle.
      6. Accessing (by, i.e., VPN) Data concerning health outside Company’s Wide Area Network (WAN).
   6. Employees shaill:
      1. Employees members shall ensure that observable Data concerning health is adequately shielded from unauthorized disclosure and unauthorized access on computer screens.Company and its Employees shall make every effort to ensure that Data concerning health and any other confidential information on computer screens is not visible to unauthorized persons.
      2. Employees members working in facilities that are not part of Company shall maintain awareness of their surroundings to ensure that no one can incidentally view Data concerning health, and that no Data concerning health is left unattended.
      3. Employees members who work from home or other non-office sites shall take the necessary steps to protect Data concerning health from other persons who may have access to their home or other non-office site. These measures include password protection of their personal computers, and security measures for all other forms of portable Data concerning health such as locking up CD/DVD ROM Disks, floppy disks, USB drives, PDAs, and laptops.
      4. While accessing Data concerning health outside the Company’s Wide Area Network (for example: extranet, VPN), automatic log off shall occur after a maximum of 15 minutes of inactivity. Automatic log off is a system-enabled enforcement of session termination after a period of inactivity and blocks further access until the workforce member reestablishes the connection using the identification and authentication process.
6. AUDIT CONTROLS
   1. Special registers of Employees with the right to access Data are stored in access control systems (IAM). All Employee accesses to the Data are registered, each change to the Data or its viewing is recorded. The Company conducts random audits of the use of Data to identify unexpected access to Data by Employees.
   2. Log-in Monitoring:
      1. The Company has the right to monitor system access and activity of all Employees.
      2. To ensure that access to Servers, workstations, and other computer systems containing Data concerning health is appropriately secured, the following login monitoring measures implemented:
         1. A mechanism to log and document four (4) or more failed log-in attempts in a row shall be implemented on each network system containing Data concerning health when the technology is capable.
         2. Login activity reports and logs shall be reviewed, at a minimum, on a biweekly basis, to identify any patterns of suspicious activity.
         3. All failed login attempts of a suspicious nature, such as continuous attempts, shall be reported immediately to the security officer or the designee for the Company.
         4. To the extent that technology allows, any Employee ID that has more than four (4) repeated failed login attempts in a row shall be disabled for a minimum of 30 minutes.
7. INCIDENT RESPONSE & REPORTING
   1. Company employs tools and techniques to monitor events, detect attacks, and provide identification of unauthorized use of the systems that contain Data concerning health.
   2. Reporting:
      1. All security incidents, threats, or violations that affect or may affect the confidentiality, integrity, or availability of Data concerning health shall be reported and responded to promptly.
      2. Incidents to be reported include, but are not limited to:
         1. Virus, worm, ransomware, or other malicious code attacks;
         2. Network or system intrusions;
         3. Persistent intrusion attempts from a particular entity;
         4. Unauthorized access to Data concerning health;
         5. Data concerning health loss due to disaster, failure, error, or theft;
         6. Loss of any electronic media that contains Data concerning health;
         7. Loss of the integrity of Data concerning health; 
         8. Unauthorized person(s) found in the Company’s facility.
      3. The Company’s compliance cfficer shall be notified immediately of any suspected or real security incident. If it is unclear as to whether a situation is a security incident, the compliance officer shall be contacted to evaluate the situation.
8. DATA SECURITY MEASURES
   1. The Company stores hashes of each individual field of User information in the blockchain. This ensures that any operation of adding or changing Data was performed exclusively by the User. For each field of information (for example, weight, height, blood type), a unique hash is created and written to a decentralized storage. To confirm the authenticity of the changes, the Company can provide a hash function that allows you to reproduce the hash in the presence of the original data, which makes it possible to check whether the data has not been changed by third parties.
   2. The Company shall use the following Data security measures:
      1. information risk assessment;
      2. rules for working with Data;
      3. separation of employee/contractor access levels to Data;
      4. regular testing of Data security;
      5. coordination between key Employees who have access to Data;
      6. rules for access to premises and equipment where Data is stored;
      7. performing periodic checks of Data security;
      8. use of antivirus software;
      9. use of security systems;
      10. control of physical access to Data;
      11. protection of Data using an authorization system;
      12. assigning a unique password to an employee to access Data;
      13. backup of Data;
      14. training and advanced training of employees who have the right to access Data;
      15. interaction with the Server;
   3. The Company identifies the following Data cybersecurity measures:
      1. system security - the security of our network and information systems, including those that process Data;
      2. data security - the security of the Data that we store on our Server;
      3. security systems - the security of Data, which is ensured with the help of special services, programs.
   4. To protect Data, the Company monitors traffic using AWS GuardDuty and IDS/IPS solutions such as Snort for traffic analysis.
   5. The company integrates a SIEM system to collect and correlate logs, detect suspicious activity through AWS CloudTrail.
   6. The Servers are located on AWS in the availability zone (Availability Zone). Data is protected by encryption using KMS (Key Management Service), Amazon EBS (Elastic Block Store) with automatic data backup is used for data storage. Access to Servers is restricted via VPN and MFA.
   7. The Сompany uses Avast antivirus with automatic system scanning, using AI to detect threats and regularly update virus databases, including monthly scanning of laptops/computers and Servers for virus vulnerabilities, attacks, etc.
9. PSEUDONIMISATION OF DATA
   1. Pseudonymisation does not allow identification of Data, but it allows it to be distinguished from other Data.
   2. Pseudonymisation allows identification of an employee or counterparty using online identifiers.
   3. Pseudonymisation of Data may reduce the risks of loss and/or disclosure of Data and help Company to fulfil their obligations to protect Data.
10. ENCRYPTION OF DATA
    1. Encryption: Proven, standard algorithms used as the basis for encryption technologies.
    2. Circumstances where Encryption is required:
       1. All devices that connect to or store Data concerning health must be encrypted.
       2. NoData concerning health shall be sent outside the Company’s domain unless it is encrypted. This includes all email and email attachments sent over a public internet connection.
       3. When accessing a secure network, an encryption communication method, such as a VPN, shall be used.
    3. Circumstances where Encryption if optional:
       1. When using point-to-point communication protocols to transmit Data concerning health, no Encryption is required.
       2. Dial-up connections directly into secure networks are considered to be secure connections for Data concerning health and no encryption is required.
    4. Data concerning health transmissions using wireless LANs and devices within the Company Domain:
       1. The transmission of Data concerning health over a wireless network within the Company's domain is permitted if both of the following conditions are met:
          1. The local wireless network is utilizing an authentication mechanism to ensure that wireless devices connecting to the wireless network are authorized;
          2. The local wireless network is utilizing an encryption mechanism for all transmissions over that wireless network and uses two (2) types of authentication.
       2. If transmitting Data concerning health over a wireless network that is not utilizing an authentication and encryption mechanism, the Data concerning health is encrypted before transmission.
    5. Company encrypts Data in the following way - Local storage of encrypted Data. In this case, Data is encrypted and already encrypted is stored on the Server.
    6. The Company uses the following software and methods for Encryption:
       1. SSL/TLS for Zipit encryption;
       2. Encryption disk on HealthLake;
       3. gRPC communication between the Company's services;
       4. Firebase for data storage;
       5. Firewall usage;
       6. using AES-256 to encrypt hard drives at rest:
       7. regular updating of SSL/TLS certificates for traffic encryption;
       8. use of services with authentication through OAuth 2.0;
       9. integration with deep logging via AWS CloudWatch to track changes and anomalous activity;
       10. multi-factor authentication (MFA).
    7. To ensure Data security, the Company uses segmented data storage in different AWS regions to increase stability and automatic backup to Amazon S3 with Data Encryption with regular software version updates.
    8. Data is stored in the cloud on digital media. Backups are encrypted and stored in AWS Glacier for long-term archival storage. Access to physical servers is restricted by AWS Glacier's physical security policy.
    9. Company encrypts Data both during their transmission and during their storage.
11. DDoS PROTECTION
    1. The Company uses the maximum and most modern means of protection against DDoS attacks, minimizing the possibility of losing Data and lack of access to the Service.
    2. Uses the maximum and most modern methods of protection against DDoS attacks, minimizing the likelihood of losing Data.
    3. The Company uses the following types of protection against DDoS attacks:
       1. protection against all types of DDoS attacks (SYN Flood, UDP/ICMP Flood, HTTP/HTTPS attacks);
       2. secure IP address;
       3. Cloud Security with AWS Shield;
       4. filtering traffic through specialized equipment and software methods;
       5. use of Intrusion Prevention Systems (IPS) intrusion prevention systems;
       6. ensuring protection from the Company's Server;
       7. OpenSSL is used to encrypt data in transit.
    4. To provide additional protection against DDoS attacks, content delivery services, Internet security services, and distributed domain name Server services. 
12. PROTECTION FROM MALICIOUS SOFTWARE
    1. The Company ensures all computers it owns, leases, and/or operates, are installed with, and maintain, anti-virus and anti-malware software. All workstations shall be configured to activate and update anti-virus and anti-malware software automatically each time the computer is turned on or the User logs onto the network.
    2. In the event that a virus, worm, or other malicious code has infected or been identified on a Server or workstation, that equipment shall be disconnected from the network until it has been appropriately disinfected.
    3. Channels protected by TLS 1.2 or 1.3 are used for data transmission, with automatic encryption on the receiver side. Deletion of Data is performed using secure destruction protocols in accordance with NIST SP 800-88, including overwriting of Data and physical destruction of media when necessary.
13. EMERGENCY/DISASTER
    1. The Company establishes (and implements as needed) procedures for responding to an emergency or other occurrence (i.e., fire, vandalism, system failure, or natural disaster) that damages systems containing Data concerning health. These procedures consist of:
       1. Applications and data criticality analysis;
       2. Sanction Policy;
       3. Information System Activity Review Policy;
       4. Data Backup Plan;
       5. Disaster Recovery Plan; 
       6. Emergency Mode Operation Plan;
       7. Disposal/Destruction of Data concerning health Policy;
       8. Media ReUse Policy;
       9. Emergency Access Procedure.
14. BUSINESS ASSOCIATES
    1. Business Associates:
       1. The Company has many contractual and business relationships. However, not all contractors or business partners are “Business Associates,” as that term is defined by HIPAA. This Security Policy only applies to contractors or business partners that fall within the definition of a “Business Associate.” Essentially (and as explained in greater detail under “Definitions,” below), a Business Associate is any person or organization that the Company hires to help the Company to do something. The “something” under the contract involves the organization’s either directly or indirectly sharing protected Data concerning health or electronic Data concerning health with the Business Associate.
       2. The lead compliance officer(s) of the Company shall review all contracts to determine if the contract requires a Business Associate Agreement (“BAA”). If a BAA is required, contract managers must complete the BAA and notify the compliance officer(s). The BAA requires the Business Associate to provide satisfactory assurance that the Business Associate shall appropriately safeguard Data concerning health, and report any security incidents.
       3. The Company shall audit the Business Associate via electronic questionnaire. If decided by the Chief Compliance Officer, the Company shall conduct a security audit of the Business Associate's HIPAA Policies and Procedures as a means of due diligence to ensure that the Business Associate is taking the necessary precautions under the HIPAA Security Rule to protect the data that is shared with it.
    2. Developed Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). Include the organization of access to backup systems in the event of an Emergency/Disaster, support of critical services and systems to minimize interruptions in the Company's work.
    3. All BAAs cooperating with the Company sign a non-disclosure agreement (NDA) and process Data exclusively within the framework of defined tasks. A separate register is maintained for each BAA, which indicates the types of Data to which access is granted.
15. WORK FROM HOME POLICY
    1. Employees who telecommute must take proper security measures to ensure that Data concerning health remains appropriately safeguarded. With respect to the devices employees who telecommute use to perform their work, Employees must do the following:
       1. Employees must have a device that the employee will dedicate for business purposes only.
       2. Employees must ensure device drives are encrypted. This can be accomplished by using an encryption application such as Microsoft BitLocker or Apple File Vault.
       3. Employees must install antivirus and antimalware protections before Employees can use a device for business purposes.
       4. Employees must enable the “Automatic Updates” function of any device, software program, or operating system used to perform work.
       5. Employees must have a strong password-protected account on their device. Password guidelines, which incorporate best practices from the latest National Institute of Standards and Technology (NIST) guidelines (set forth in NIST SP 800- 63B) are set forth below, and shall be used by employees:
          1. Passwords shall be a minimum of eight (8) characters in length. A maximum length of 64 characters is permitted.
          2. Passwords may consist of all special characters; however, use of all special characters is not a requirement.
          3. Password use shall be restricted as follows:
             1. Use of sequential and repetitive characters (i.e., 12345 or aaaaa) is restricted.
             2. Context-specific passwords are restricted.
             3. Commonly-used passwords (i.e., p@ssw0rd, etc.) shall be restricted.
             4. Passwords obtained from previous security breaches shall not be used.
          4. Employees must have a password-protected screen lock timeout set to a maximum of 15 minutes.
          5. Employees must ensure that all wireless router traffic is encrypted, using (at a minimum) WPA2-AES Encryption.
          6. Employees must make sure that the password to a wireless network is a strong password, in accordance with (5) above.
          7. Employees may not download or print Data concerning health at home offices or any other location from which employees telecommute.
          8. Employees must conduct a physical site audit, and provide the details of that audit, to the current security officer, no less than once every twelve months. The audit consists of the following questions:
             1. Does the employee print paper documents that contain protected health information at the employee’s home office?
             2. Does the employee receive paper faxes at a physical fax machine in the Employee’s home office?
             3. Does the employee take paper or electronic files containing Data concerning health to the Employee’s home office?
             4. Does the Employee’s home office have a lockable door?
             5. Does the Employee’s home or home office have an alarm system?Does the employee store paper documents that contain Data concerning health in the employee’s home office?
          9. Company’s security officer shall conduct its own portion of the physical audit. The physical audit for the security officer consists of the following questions:
             1. Is the drive on the employee’s computer encrypted using either Apple File Vault or Microsoft BitLocker encryption?
             2. Does the Employee’s computer have antivirus and antimalware software installed, and is the software up-to-date?
             3. Are automatic updates on employee devices, operating systems, and
             4. applications turned on?
             5. Is the Employee’s computer protected with a “strong password,” as that
             6. phrase is defined in (5), above?
             7. Is the Employee’s computer set to lock after 15 minutes of inactivity?
             8. If the Employee has a wireless router, is the router protected with WPA2-AES Encryption?
             9. If the Employee has a router, is the router protected with a strong password?
             10. Company’s security officer and/or IT department must confirm Employees have all security measures required by this policy in place, before access to Company’s resources is granted.
16. PROCEDURE IN THE EVENT OF A SECURITY BREACH OF DATA
    1. In case of unlawful disclosure and/or loss of Data, the Company takes the following steps:
       1. Immediately notifies the User of such breach;
       2. Takes all necessary measures to stop further disclosure;
       3. Performs security audits to prevent further leakage of Data;
       4. Takes actions to minimize the damage from such leakage of Data;
       5. Notification to the supervisory authority;
       6. Takes action to compensate for damage to the User.
    2. The Company trains its employees to perform an algorithm of actions in case of violation of the security of Data.
    3. The Company assesses and monitors the mitigation of damage from a Personal Data breach and ensures cooperation between employees and Users, and regularly reviews the Data breach response plan.
17. CHANGING THE SECURITY POLICY
    1. The Company has the right to change the provisions of the Security Policy in case of changes in the methods and ways of ensuring the security of Data.
    2. If changes are made to the Security Policy, the Company trains its employees and adds new provisions to this Security Policy.
    3. The User is obliged to read the new terms of the Security Policy, and the Company is not responsible if the User has not read the new terms of the Security Policy.
    4. Digital or otherwise stored copies of the Security Policy are considered to be authentic, complete, valid and enforceable versions of this Security Policy in effect at the time the User visits the App. If the User uses the Services, after the date of updating the Security Policy, he agrees to the new rules for the storage of Data.
18. CONTACTS
    1. The User has the right to contact the Company's support service at: [email protected] to ensure his rights, in accordance with the terms of this Security Policy, or in case of violation of his rights, or to leave feedback or ask a question.