Security & Trust

Security & Trust Center

Last updated: July 1, 2026 · Version 2026-07-01 · 49 assessment questions answered

This questionnaire is the authoritative, structured record of NEDOCS's security and privacy posture for hospital procurement, security reviewers, and automated assessment agents. It maps each vendor-assessment question to NEDOCS's canonical answer, the implementing control, and (where applicable) the remediation status for items raised in a corrective action plan. The evaluation tier operates without PHI; production PHI use requires a separately executed Business Associate Agreement (BAA).

Security posture at a glance

Multi-factor authentication

Remediated

Required at sign-in — email OTP default; TOTP optional

Encryption at rest

Remediated

AES-256-GCM field encryption + volume/DB encryption

Encryption in transit

Implemented

TLS 1.2+ everywhere; HSTS in production

Access control

Implemented

Role-based access, least privilege, tenant isolation

Account protection

Implemented

Brute-force lockout + 30-min idle timeout

Password policy

Implemented

8+ chars, upper/lower/number complexity

Audit logging

Implemented

Auth, MFA, and agreement-acceptance audit trail

HIPAA

Implemented

Business-associate ready; BAA for production PHI

SOC 2 Type II

Remediated

Completed — Security, Availability, Confidentiality (report under NDA)

System architecture & data-flow diagram

Principal components and the flow of data and communications. Network segmentation separates the public marketing site from the authenticated application. The evaluation tier processes no PHI; only synthesized ED flow metrics are persisted.

Clinician / Admin Browser (MFA + RBAC) Hospital EHR HL7 v2 / FHIR / REST TLS 1.2+ SEGMENTED APPLICATION TIER NEDOCS Express app Auth · sessions · scoring · APIs WAF / IDS Firewall · IPS Audit logs Auth · access · SIEM DATA TIER MongoDB AES-256 at rest encrypted LLM inference de-identified · no training no PHI

Corrective action plan status

Findings raised in the vendor assessment and their current remediation status.

IDQuestionAnswerStatusRemediation
2289 Does your product support Multi-Factor Authentication (MFA) for customer users when logging into your system? Yes Remediated Finding: 'MFA — No'. Remediated by implementing TOTP MFA (enrollment, QR provisioning, encrypted secret storage, and a login second-factor challenge).
2290 Does your product support Single Sign-On (SSO), such as SAML or OIDC, for customer users logging into your system? No In Progress Finding: 'Rectify MFA, Password updates, and complexity'. MFA and password complexity/updates are remediated; enterprise SSO (SAML/OIDC) is planned.
2291 Does your product/service encrypt data at rest? Yes Remediated Finding: 'Encryption at rest requirement — No'. Remediated by adding AES-256-GCM field-level encryption for sensitive data and confirming hosting-tier volume/database encryption.
2287 Can you provide a data flow diagram showing the relationships of principal parts/functions and the flow of data and communications? Yes Remediated Finding: 'Block Diagram — No'. Remediated by publishing a data-flow/architecture diagram on the Trust Center.
2294 Is your product/service scanned by a dynamic application security scanning (DAST) tool while in production? In progress In Progress Finding: 'SDLC deficient — DAST No'. Compensating control: pre-production SAST/code scanning. DAST tooling for the production environment is being integrated.
2292 Does the organization protect customer data with a data loss prevention (DLP) solution and monitor for suspicious activity? In progress In Progress Finding: 'DLP — No'. Compensating controls documented; dedicated DLP tooling under evaluation.
2293 Has a third party conducted a penetration test on your product or service within the last year? Scheduled Planned Finding: 'No 3rd party testing'. Third-party penetration test scheduled; interim internal testing + scanning in place.
2288 In the past year, has your organization completed a SOC 2 Type 2 control report? Yes, within the past year Remediated Finding: 'SOC assessment not completed'. Remediated — SOC 2 Type II examination completed; report available under NDA.
2285 Is your organization a Business Associate (BA) as defined by HIPAA? Yes, when a BAA is executed — NEDOCS is HIPAA business-associate ready. Remediated Finding: 'HIPAA compliance — please clarify and update'. Clarified: BA-ready; evaluation tier is contractually no-PHI; BAA executed for production PHI use.
2286 Does your organization require NDAs or confidentiality agreements with third-party vendors when confidential, sensitive, or PII will be disclosed? Yes Remediated Finding: 'Update documentation on data input and sensitivity'. Documented vendor NDA/confidentiality requirements and data-input sensitivity boundaries.
2295 Did you mitigate OWASP LLM Top 10 risks during the development of your AI model? Yes (compensating controls) — OWASP LLM Top 10 risks are addressed for our AI-assisted features. Remediated Finding: 'No OWASP Compliance — lots of AI issues'. Documented OWASP LLM Top 10 mitigations and AI governance posture; foundation models are not trained on customer data.

Full questionnaire responses

Identity and Access Management · InfoSec

Does your product support Multi-Factor Authentication (MFA) for customer users when logging into your system?
Remediated
Answer: Yes
NEDOCS supports multi-factor authentication for all customer accounts, with two methods. The default method emails a 6-digit one-time code to the account email address (which is also the username); the alternative is an app-based TOTP (RFC 6238) authenticator (Google/Microsoft Authenticator, 1Password, Authy) enrolled by scanning a QR code. After a correct password the user is challenged for the code before a session is established. Email codes expire in 10 minutes and are stored only as SHA-256 hashes; TOTP secrets are encrypted at rest. MFA can additionally be mandated for privileged roles via configuration.
NIST CSF V1.1: PR.AC-1, PR.AC-4, PR.AC-6 NIST CSF V2.0: PR.AA-01, PR.AA-02, PR.AA-05 Evidence →
Does your product support Single Sign-On (SSO), such as SAML or OIDC, for customer users logging into your system?
Planned
Answer: No
SAML/OIDC SSO is on the roadmap. In the interim, password policy and MFA have been strengthened: minimum 8 characters with upper/lower/number complexity, TOTP MFA, brute-force lockout, and forced password change on reset.
NIST CSF V2.0: PR.AA-01, PR.AA-03
What password complexity configurations and settings are available?
Implemented
Answer: Minimum 8 characters requiring at least one uppercase letter, one lowercase letter, and one number.
Enforced centrally on account creation, password reset, and password change (config.security.minPasswordLength; validatePassword). Length is configurable per deployment.
NIST CSF V1.1: PR.AC-6 NIST CSF V2.0: PR.AA-02 Evidence →
Is there lockout for failed login attempts? What are the lockout settings?
Implemented
Answer: Yes — accounts lock after 10 consecutive failed attempts for 15 minutes (both configurable).
AccessFailedCount is incremented on each failed sign-in; on reaching the threshold LockoutEnd is set and further attempts are refused until it elapses. A successful sign-in resets the counter.
NIST CSF V1.1: PR.AC-6 NIST CSF V2.0: PR.AA-02
Does your system/service support role-based access controls/rights that may be applied to customer accounts?
Implemented
Answer: Yes
Role-based access control (Administrator, NEDOCS, manager, User) is enforced by middleware on every protected route. Hospital-scoped data isolation ensures users only see their own organization's data (least privilege).
NIST CSF V1.1: PR.AC-1, PR.AC-4, PR.AC-6 NIST CSF V2.0: PR.AA-02, PR.AA-05
Is the principle of least privilege applied when provisioning customer accounts?
Implemented
Answer: Yes
Accounts receive only the roles required for their job function; hospital data is logically segregated per tenant.
NIST CSF V2.0: PR.AA-01, PR.AA-02, PR.AA-05
Does your application force a timeout for inactivity? Is the timeout customer-configurable?
Implemented
Answer: Yes — a 30-minute idle timeout is enforced and is customer-configurable.
Authenticated sessions are invalidated after 30 minutes of inactivity (SESSION_IDLE_TIMEOUT_MINUTES). Session cookies are HTTP-only, SameSite=Lax, and Secure in production, with an 8-hour absolute lifetime.
NIST CSF V2.0: PR.AA-05
Does your product implement restrictions on concurrent user sessions and detect unauthorized access?
Implemented
Answer: Yes — server-side session store with per-user session tracking; policy prohibits shared/generic accounts.
Sessions are stored server-side in MongoDB; the acceptable-use policy prohibits generic/group email accounts as primary account identities.
NIST CSF V2.0: DE.CM-03

Cryptographic Controls · InfoSec

Does your product/service encrypt data at rest?
Remediated
Answer: Yes
Data is encrypted at rest at two layers: (1) application-layer field encryption using AES-256-GCM for sensitive fields (MFA/TOTP secrets, phone numbers, one-time verification codes), keyed by a 256-bit data key (DATA_ENCRYPTION_KEY); and (2) full-volume/database encryption provided by the hosting tier. Password material is stored only as PBKDF2-HMAC-SHA256 hashes (100k iterations); reset tokens as SHA-256 digests.
HIPAA Security § 164.312(a)(2)(iv) NIST CSF V1.1: PR.DS-1 NIST CSF V2.0: PR.DS-01 Evidence →
Does your product/service encrypt data in transit? Do you use TLS 1.2 or later?
Implemented
Answer: Yes — TLS 1.2+ for all web and API traffic.
All traffic is served over HTTPS/TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enabled in production. HL7/EHR ingestion requires TLS 1.2+.
HIPAA Security § 164.312(a)(2)(iv) NIST CSF V1.1: PR.DS-2 NIST CSF V2.0: PR.DS-02
Is your organization responsible for managing encryption keys for this product/service?
Implemented
Answer: Yes
Application data keys are provisioned via secrets management (environment-injected, never committed) and rotated per policy. Hosting-tier keys are managed by the cloud provider's KMS. Guidance follows NIST SP 800-57.
NIST SP 800-57 Part 1 Rev. 5
Is AI training/inference data encrypted at rest using industry-standard encryption (e.g., AES-256)?
Implemented
Answer: Yes — AES-256 at rest; TLS 1.2+ in transit.
AI features send de-identified/synthetic operational inputs only; any retained data is encrypted with AES-256 at rest and TLS 1.2+ in transit.
NIST AI RMF: MAP 4.1

Application Security · InfoSec

Can you provide a data flow diagram showing the relationships of principal parts/functions and the flow of data and communications?
Remediated
Answer: Yes
A system architecture and data-flow diagram is published on the Trust Center. It shows browser/EHR clients, the TLS boundary, the Express application tier, network segmentation between the public marketing site and the authenticated app, the MongoDB data tier with encryption at rest, and the external LLM inference boundary (de-identified inputs only).
NIST CSF V1.1: DE.AE-1 NIST CSF V2.0: ID.AM-03 Evidence →
Do you incorporate security (controls, processes, training) as part of your Software Development Lifecycle (SDLC)?
Implemented
Answer: Yes
Security is embedded in the SDLC: peer code review, automated code scanning before production, dependency review, staged test-before-production deployment, and rollback procedures via the change-management process.
NIST CSF V1.1: PR.IP-2 NIST CSF V2.0: PR.PS-06
Do you implement controls to ensure data accuracy, such as integrity checks, input and data validation?
Implemented
Answer: Yes — integrity constraints, access controls, input validation, and data validation.
Server-side input validation, parameterized database access, output encoding in templates, and CSRF-resistant session cookies (SameSite).
NIST CSF V1.1: PR.DS-6 NIST CSF V2.0: PR.DS-01
Does the solution exclude confidential information from URLs (e.g., date of birth, medical record number, account number)?
Implemented
Answer: Yes
Sensitive identifiers are never placed in URLs; the evaluation tier processes no PHI.
Is your product/service scanned by a dynamic application security scanning (DAST) tool while in production?
In Progress
Answer: In progress
Static analysis and automated code scanning run pre-production today (compensating control). A continuous DAST capability against the production surface is being onboarded.
NIST CSF V1.1: DE.CM-8 NIST CSF V2.0: ID.RA-01
Do you provide APIs for your product/service? Describe the security model and controls.
Implemented
Answer: Yes — REST + HL7 ingest APIs authenticated by per-hospital API keys (Bearer/X-API-Key), TLS 1.2+.
Documented OpenAPI 3.1 spec at /api/openapi.json. Each hospital is issued a scoped API key; keys are managed in Settings and can be rotated/revoked. PHI is not persisted — only synthesized flow metrics.

Event Logging · InfoSec

Which event log details are captured by your product or service? (Select all that apply)
Implemented
Answer: Success/failure of the event, event source, event date/timestamp, where the event occurred, identity of the user/subject, and event type.
Server-side request logging, authentication events (including MFA and lockout), agreement-acceptance audit records, and HL7 ingestion events are captured with source, timestamp, actor, and outcome.
NIST CSF V1.1: PR.PT-1, DE.AE-3 NIST CSF V2.0: DE.AE-03, PR.PS-04
Does your organization validate that logs are not tampered with? What controls are in place?
Implemented
Answer: Yes — append-only audit collections and immutable agreement-acceptance records; SIEM-forwardable.
Agreement-acceptance records (timestamp, user, IP, user-agent, version) are stored in an immutable audit collection. Logs can be forwarded to a customer SIEM.
NIST CSF V1.1: PR.PT-1 NIST CSF V2.0: PR.PS-04
How long does the product/service retain user activity and system logs?
Implemented
Answer: User activity logs: at least 1 year. System logs: 1 year or more.
NIST CSF V2.0: PR.PS-04

Data Security Management · InfoSec

Where is your primary and backup data center located for US-based customers?
Implemented
Answer: Within the United States (Los Angeles, California; distributed/redundant backup within the US).
NIST CSF V1.1: PR.IP-5 NIST CSF V2.0: PR.IR-02
Is each customer's data physically or logically segregated from other customers' data?
Implemented
Answer: Logically segregated (per-hospital tenancy and access scoping).
Is any production data used in non-production environments?
Implemented
Answer: No — non-production uses synthetic/de-identified data.
Does your data destruction process follow NIST SP 800-88: Guidelines for Media Sanitization?
Implemented
Answer: Yes
NIST SP 800-88
Does the organization protect customer data with a data loss prevention (DLP) solution and monitor for suspicious activity?
In Progress
Answer: In progress
Compensating controls in place today: least-privilege access, encryption at rest and in transit, egress restrictions, and monitoring/alerting on the hosted environment. A dedicated DLP tool is being evaluated.

Threat / Vulnerability Management · InfoSec

Has a third party conducted a penetration test on your product or service within the last year?
Planned
Answer: Scheduled
An independent third-party penetration test is scheduled. Compensating controls today: internally conducted testing, automated vulnerability scanning, and pre-production code scanning. Results will be available to customers under NDA.
NIST CSF V1.1: ID.RA-1, ID.RA-2, ID.RA-3, ID.RA-5, DE.CM-8 NIST CSF V2.0: ID.RA-01, ID.RA-02, ID.RA-03, ID.RA-05
What is your policy for remediation of critical vulnerabilities (CVSS 9-10) and non-critical (<9)?
Implemented
Answer: Critical (CVSS 9-10): within 24 hours. Non-critical (<9): within 30 days.
NIST CSF V2.0: ID.RA-01
Do you perform vulnerability scans of your product/service? How often?
Implemented
Answer: Yes — continuous/automated dependency and vulnerability scanning.
NIST CSF V1.1: PR.IP-12, DE.CM-8 NIST CSF V2.0: ID.RA-01
Is the operating environment protected by a firewall, WAF, IDS/IPS, and monitored for suspicious activity?
Implemented
Answer: Yes — firewall, web application firewall, and IDS/IPS protect the hosted environment.
NIST CSF V1.1: PR.PT-4 NIST CSF V2.0: PR.IR-01
Do you provide a capability for users/researchers to report security vulnerabilities?
Implemented
Answer: Yes — security contact published on the Trust Center and Compliance page.

Updates / Change Management · InfoSec

Do you follow a documented change/release management process with approvals and rollback?
Implemented
Answer: Yes
Changes are peer-reviewed, validated in a test environment before production, deployed via a documented process, and support rollback. Unauthorized changes are detectable via version control and deployment controls.
NIST CSF V1.1: PR.IP-3, PR.MA-1 NIST CSF V2.0: ID.AM-08, ID.RA-07, PR.PS-01
Is your code scanned by an automated code scanning tool before being put into production?
Implemented
Answer: Yes
AI-assisted and automated code scanning run before production; AI-generated code is reviewed and validated against secure-development standards.
NIST CSF V1.1: DE.CM-4, DE.CM-5, DE.CM-8 NIST CSF V2.0: DE.CM-09, ID.RA-01

Security Compliance · InfoSec

In the past year, has your organization completed a SOC 2 Type 2 control report?
Remediated
Answer: Yes, within the past year
I AM GRACE INC. has completed a SOC 2 Type II examination of the NEDOCS service covering Security, Availability, and Confidentiality Trust Services Criteria. The report attests that controls were suitably designed and operated effectively throughout the examination period. Available to qualified customers and assessors under NDA on request.
SOC 2 Evidence →
Which cybersecurity standards, frameworks, or best practices are leveraged? (Select all that apply)
Implemented
Answer: HIPAA Security, NIST (CSF v2.0 / SP 800 series), SOC 2, CIS Critical Security Controls.
NIST CSF V2.0 HIPAA Security Rule SOC 2 CIS Controls
Does your organization review and verify compliance with applicable legal/regulatory requirements at least annually?
Implemented
Answer: Yes
NIST CSF V1.1: ID.GV-3, PR.IP-5 NIST CSF V2.0: GV.OC-03, PR.IR-02

Operational Resilience · Resiliency

Does your organization have documented, communicated business continuity and disaster recovery plans, tested at least annually?
Implemented
Answer: Yes — BCP and DR plans are documented, communicated, and tested at least annually.
NIST CSF V2.0: GV.OC-04, ID.IM-02, ID.IM-04, PR.IR-03, RC.RP-01
How often are backups taken, are they encrypted, and where are they stored?
Implemented
Answer: At least daily, encrypted, stored in distributed US locations; recovery tested at least annually.
NIST CSF V1.1: PR.IP-4, PR.DS-2 NIST CSF V2.0: PR.DS-11, PR.DS-02
What are the Recovery Point Objective (RPO) and Recovery Time Objective (RTO)?
Implemented
Answer: RPO: 2 hours or less. RTO: 4 hours or less.
What availability percentage is specified in your SLA? Is support available 24x7?
Implemented
Answer: ≥ 99.9% availability target; 24x7 monitoring of uptime/availability.

Incident Response Management · Vendor-Operational

Does your organization have a formal security incident management and response plan documenting activities, procedures, and roles?
Implemented
Answer: Yes
Incidents are triaged by severity with defined escalation paths; incident logs are stored separately from application databases.
NIST CSF V2.0: RS.MA-01, RS.MA-02, RS.CO-02, RS.CO-03
Does your organization have a documented process for notifying customers of incidents, and how quickly?
Implemented
Answer: Yes — customers are notified in less than 24 hours via email/support portal; PHI breaches per 45 CFR §164.410.
HIPAA Breach Notification Rule §164.410 NIST CSF V2.0: RS.CO-03, RC.CO-03 Evidence →

AI Use & Model Governance · Artificial Intelligence (AI)

Did you mitigate OWASP LLM Top 10 risks during the development of your AI model?
Compensating Control
Answer: Yes (compensating controls) — OWASP LLM Top 10 risks are addressed for our AI-assisted features.
NEDOCS does not train foundation models. AI-assisted features (shift-debrief summarization, forecasting) call a third-party LLM (Anthropic) under enterprise controls with a contractual no-training commitment. OWASP LLM Top 10 mitigations in place: prompt/response handling to limit prompt injection, no PHI/PII sent in the evaluation tier (input minimization/de-identification), output is advisory only (human-in-the-loop; no automated clinical decisions), least-privilege API keys, rate limiting, and monitoring. Model inputs/outputs are treated as untrusted and validated.
OWASP LLM Top 10 NIST AI RMF: GOVERN 1.1, MAP 4 Evidence →
Does your organization use customer data to train or retrain AI models? Is it anonymized?
Implemented
Answer: No customer PHI/PII is used to train foundation models; any RAG/analytics inputs are anonymized/de-identified.
External LLM providers are contractually prohibited from training on NEDOCS inputs/outputs.
NIST AI RMF: MAP 4.1
Are RBAC and MFA enforced to restrict access to AI training/inference data, with monitoring?
Implemented
Answer: Yes — RBAC + MFA, encryption at rest/in transit, logical segmentation, and monitoring for anomalies.
NIST AI RMF: MAP 4

No questions match your filter.

I AM GRACE INC. (California corporation) — Attn: Compliance & Security, 2121 Avenue of the Stars, Suite 800, Century City, CA 90067

Answers are maintained by I AM GRACE INC. and reflect the state of the NEDOCS service as of the version date. Application-level controls are verifiable in the product; organizational controls are supported by policy and, where noted, third-party attestation available under NDA.

See also: HIPAA & SOC Compliance, Privacy Policy, and Evaluation Subscription Agreement.