Security /
We are committed to maintaining the highest level of security and privacy for our clients' data, in accordance with industry best practices and relevant compliance requirements.
This policy outlines the data security measures in place to protect the confidential and sensitive information of our clients. We are committed to maintaining the highest level of security and privacy for our clients' data, in accordance with industry best practices and relevant compliance requirements.
This policy applies to all data collected, processed, and stored by our organisation on behalf of our clients, as well as any third-party service providers involved in handling client data.
DATA PROTECTION MEASURES
All client data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Encryption keys are managed through a dedicated key management system with strict access controls and regular rotation policies.
Our infrastructure is hosted in SOC 2 certified data centers with physical security controls including 24/7 monitoring, biometric access, and redundant power and network connectivity.
DATA AVAILABILITY AND PRESERVATION
We maintain multiple redundant systems to ensure high availability of client data. Regular backups are performed and tested, with defined recovery time and recovery point objectives.
APPLICATION SECURITY
Security is integrated throughout our software development lifecycle. All code undergoes peer review and automated security scanning before deployment. We follow secure coding standards and conduct regular security training for all engineering team members.
VULNERABILITY MANAGEMENT
We conduct regular automated vulnerability scans across our infrastructure and applications. Critical and high-severity vulnerabilities are prioritised for immediate remediation. We also conduct periodic third-party penetration testing.
PERSONNEL SECURITY
All employees complete mandatory security awareness training upon joining and annually. Training covers data handling best practices, phishing awareness, incident reporting, and compliance requirements relevant to their role.
All employees with access to client data undergo background screening prior to employment. Access follows the principle of least privilege and is reviewed regularly.
COMPLIANCE
Zannova maintains HIPAA compliance for all healthcare-related data. We have implemented the required administrative, physical, and technical safeguards to protect protected health information (PHI). Business Associate Agreements (BAAs) are in place with all relevant partners.
Client data is logically separated and access-controlled to ensure no cross-contamination between clients. Clients retain ownership of their data at all times and can request export or deletion in accordance with our data retention policy.
We are actively pursuing SOC 2 Type II certification and ISO 27001 accreditation. These are in progress and we expect to complete them within the current fiscal year. Prospective clients requiring documentation prior to completion are welcome to contact us.
We comply with applicable data protection regulations including GDPR for European data subjects and CCPA for California residents. Our privacy program is reviewed regularly to reflect changes in applicable law.
Policy Review and Updates
This policy is subject to review and updates on an annual basis or as necessary to reflect changes in technology, industry standards, and regulatory requirements. Clients will be notified of any significant changes to this policy.
Security questions? Talk to us