Trust
Security
Security is foundational to everything Cuvo runs. We operate a comprehensive, multi-layered security program with administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. Our security posture is aligned with the standards of the HIPAA Security Rule and industry best practices.
1HIPAA and Protected Health Information
When our client is a Covered Entity under HIPAA (such as a hospital, clinic, or licensed healthcare provider), Cuvo acts as a Business Associate. We are legally bound by contract (a Business Associate Agreement, or BAA) and by law to implement the stringent privacy and security safeguards required by HIPAA to protect Protected Health Information (PHI).
End-user data, including PHI, is stored within our Amazon Web Services (AWS) environment under a Business Associate Agreement with AWS, ensuring HIPAA's security requirements are met for this data.
2Administrative safeguards
- Security governance: A designated Data Protection Officer, Ryan Morovich, and a formal information security program.
- Employee training: All employees undergo mandatory, regular training on data privacy and security protocols.
- Risk management: We conduct regular risk assessments to identify and mitigate potential threats to data.
- Incident response plan: We maintain and test a detailed plan to promptly respond to and manage any security incidents.
3Technical safeguards
- Encryption: All personal information is encrypted both in transit using strong TLS protocols and at rest using AES-256 or equivalent standards.
- Access controls: We enforce strict role-based access control (RBAC) and the principle of least privilege, so personnel can only access the data essential to their job function. All access to sensitive data is logged.
- Network security: Our infrastructure is protected by firewalls and intrusion detection and prevention systems (IDS/IPS), and undergoes regular vulnerability scanning and penetration testing.
4Physical safeguards
We rely on the world-class physical security of our cloud provider, AWS, whose data centers feature extensive measures including biometric access controls, 24/7 surveillance, and environmental controls.
5Payments and data handling
- Payment security: Card and bank details are processed by our PCI-compliant payment processor, Stripe; we do not store full payment card numbers on our systems.
- Data minimization: We collect only the information that is adequate, relevant, and reasonably necessary for the specified purposes.
- Retention and deletion: We retain personal information only as long as necessary to fulfill its purpose or to meet legal, accounting, or reporting requirements. End-user data is retained per our client contracts and, on termination, is securely returned to the client or destroyed as required by law, including HIPAA.
6Reporting a security concern
If you have a question about our security practices, or need to report a concern, please contact our Data Protection Officer.
Data Protection Officer
Ryan Morovich
Medstra Inc., doing business as Cuvo Health
901 N Market Street, Suite 100
Wilmington, DE 19801
privacy@cuvo.co