Data security comes first
At Eigen, we make your data useful, and we do it securely
We've implemented a robust security framework that covers all aspects of our operations, from product development to customer support.
We're committed to the safety and security of customer, partner and end-customer data.
Eigen maintains third-party certifications and passes third-party audits, to ensure your information is compliant and secure.
Eigen has implemented the following measures to keep your data secure:
Data minimization: We only collect and process data that is necessary for our legitimate business purposes and contractual obligations.
Data encryption: We encrypt data at rest and in transit using industry-standard algorithms and protocols.
Data retention: We retain data only for as long as required by law or contract, and delete it securely when no longer needed.
Data access: We restrict access to data on a need-to-know basis using role-based access control and multi-factor authentication.
Data deletion: We provide customers with the ability to delete their data upon request, subject to legal or contractual obligations.
Data breach notifications: We notify customers and relevant authorities of any data breach without undue delay. Eigen has implemented various technical and organizational measures to ensure compliance with these regulations such as
Need more details?
Read more about each individual security and compliance certification below.
- ISO 27001: The international gold standard for ISMS, ISO 27001 sets out the requirements for establishing, implementing, maintaining and continuously improving an ISMS within an organization. ISO 27001 provides a comprehensive list of controls that organizations can implement to address information security risks. These controls cover various aspects, including access control, physical security, incident management, business continuity and more. The selection and implementation of controls should be based on the organization's risk assessment and security requirements. ISO 27001 requires organizations to document their information security policies, procedures and other relevant documentation to ensure the effective implementation and operation of the ISMS. This includes the development of an information security policy, risk assessment methodology, statement of applicability and other necessary documents. ISO 27001 promotes a cycle of continual improvement in information security management. Organizations are expected to monitor and measure the performance of their ISMS, conduct internal audits, and take corrective actions to address identified issues and enhance their overall security posture.
- ISO 22301: The international standard for business continuity management systems, ISO 22301 specifies the requirements for a management system to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents. This includes defining the scope of the business continuity management systems, conducting a business impact analysis (BIA), and identifying and implementing necessary business continuity strategies and measures. As well as involving Risk Assessment and Management The standard emphasizes the importance of conducting a comprehensive risk assessment to identify potential threats, vulnerabilities, and impacts on business operations. Organizations are then implement risk mitigation measures and develop business continuity and disaster recover plan to address identified risks. Plans are great, but at least annually we test these plans. . By conducting tests, organizations can identify areas for improvement and enhance their preparedness for real-life incidents.
ISO 27701: The international standard for privacy information management systems, ISO 27701 outlines the requirements for establishing, implementing, maintaining and continually improving a PIMS within the context of an organization's information security management system (ISMS) based on ISO 27001. The PIMS helps organizations manage the privacy risks associated with the processing of personal information. ISO 27701 provides additional controls and guidance to address privacy requirements and protect personal information. It includes controls related to consent management, privacy notices, handling of personal data breaches, data subject rights, data protection impact assessments (DPIAs), and more. The standard emphasizes the need for organizations to understand and comply with applicable privacy laws, regulations, and contractual requirements. This includes requirements related to data protection, cross-border data transfers, data retention, and lawful processing of personal information. ISO 27701 focuses on the secure handling of personal information throughout its lifecycle. This includes the collection, use, disclosure, storage, and disposal of personal data. Organizations are expected to implement appropriate measures to protect personal information against unauthorized access, loss, disclosure, alteration, or destructio
- ISO 27017: This is the international standard for cloud security. It provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of ISO 27002 and other ISO 27000 standards.
- ISO 27018: This is the international standard for cloud privacy. It establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information in public cloud computing environments.
- HIPAA Compliance: HIPAA compliance is essential for healthcare providers, health plans and other covered entities to protect patients' sensitive health information and ensure the integrity of the healthcare system. Non-compliance can result in significant financial and reputational consequences. Organizations subject to HIPAA regulations must take steps to understand and implement the necessary safeguards and procedures to meet compliance requirements laid out by the four rules below:
The HIPAA Privacy Rule establishes standards for safeguarding individuals' PHI, including restrictions on its use and disclosure without proper authorization. It grants individuals certain rights regarding their health information and requires covered entities to implement administrative, technical, and physical safeguards to protect PHI.
The HIPAA Security Rule focuses on the technical and administrative safeguards necessary to protect electronic PHI (ePHI). It outlines specific requirements for access controls, audit controls, integrity controls, transmission security, and more. Covered entities must conduct regular risk assessments and implement safeguards to ensure the confidentiality, integrity and availability of ePHI.
The Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS) and, in some cases, the media, in the event of a breach of unsecured PHI. The rule defines what constitutes a breach and establishes the timeline and method for reporting.
The HIPAA Enforcement Rule sets forth the procedures for investigating and enforcing compliance. It includes penalties for non-compliance, which can range from civil monetary penalties to criminal charges, depending on the severity of the violation.
- SOC 2 Type 1: Obtaining a SOC 2 report provides service organizations with a means to demonstrate their commitment to security, availability, processing integrity, confidentiality and privacy to clients and stakeholders. It helps clients assess the service provider's controls and make informed decisions regarding the security and reliability of the services they offer.
SOC 2 reports evaluate a service organization's controls based on the Trust Services Criteria, which consist of five categories: security, availability, processing integrity, confidentiality and privacy. Eigen has three of these security, availability and confidentiality, and our next step is to include Privacy. (Process Integrity isn’t relevant to our business.) This criteria provides a comprehensive framework for assessing the effectiveness of controls related to these aspects.
SOC 2 assesses the security controls in place to protect the system against unauthorized access, unauthorized disclosure and potential misuse. It evaluates the organization's infrastructure, logical access controls, data protection, incident response and other security-related practices.
The availability category focuses on ensuring that the system is accessible and operational as agreed upon with clients. SOC 2 examines controls related to infrastructure redundancy, fault tolerance, backup and recovery and the organization's ability to meet service-level agreements (SLAs).
Confidentiality controls aim to protect sensitive information from unauthorized disclosure. SOC 2 assesses the organization's data classification, access controls, encryption, confidentiality agreements and procedures to safeguard sensitive data.
SOC 2 reports come in two types: Type 1 and Type 2. A Type 1 report evaluates the design and implementation of controls at a specific point in time, while a Type 2 report assesses the effectiveness of controls over a period of time. Eigen has a completely clean Type 1 report.
We are constantly monitoring and improving our security and compliance practices to keep up with the evolving threats and regulations in the digital world. We also conduct regular audits and assessments by independent third parties to verify our compliance status.
If you have any questions or concerns about our security and compliance, please contact us.
Request an Eigen demo today
Fill in this form to request a short, tailored demo of the Eigen platform for your organization.