04 feb 2025

Privacy Policy

Nanoheal Security: Protecting Your Data and Ensuring Business Continuity

Security is paramount at Nanoheal. We are committed to safeguarding your application data, mitigating system vulnerabilities, and guaranteeing uninterrupted access. We employ industry-standard technologies and services to protect your data from unauthorized access, disclosure, use, and loss. All Nanoheal employees undergo security training during onboarding and annually thereafter. Our security program is overseen by a dedicated Security Officer.

Vulnerability Disclosure

To report a security vulnerability or express a security concern regarding a Nanoheal product, please contact us at [email address removed].

Infrastructure and Network Security

  • Physical Access Control: Nanoheal leverages the robust security infrastructure of Amazon Web Services (AWS). AWS data centers employ a layered security approach, including:

    • Custom-designed electronic access cards

    • Alarms

    • Vehicle access barriers

    • Perimeter fencing

    • Metal detectors

    • Biometrics

    • Access logs, activity records, and camera surveillance

    • Regular patrols by professional security guards

Nanoheal employees do not have physical access to AWS data centers, servers, network equipment, or storage.

  • Penetration Testing: Independent, third-party penetration testing is conducted on the Nanoheal platform after major releases. We provide penetration test results and mitigation details to our enterprise customers upon request.

  • Third-Party Audits: AWS undergoes regular independent audits, including SSAE 16-compliant SOC 2 and ISO 27001 certifications, verifying compliance controls for its data centers, infrastructure, and operations. Nanoheal is currently pursuing SOC2 certification and will update this section upon completion.

  • Intrusion Detection and Prevention: We prioritize monitoring for unusual network patterns and suspicious behavior. AWS’s intrusion detection and prevention systems (IDS/IPS) utilize both signature-based and algorithm-based security to identify attack patterns. This includes controlling the attack surface, deploying intelligent detection controls, and implementing automated remediation technologies. While we don't provide direct access to security event forensics, our engineering and customer support teams are available during and after any unscheduled downtime.

Business Continuity and Disaster Recovery

  • High Availability: The Nanoheal service utilizes redundant servers (e.g., multiple load balancers, web servers, replica databases) to ensure continuous operation. Servers are taken offline for maintenance without impacting availability.

  • Business Continuity: Encrypted data backups are continuously maintained in multiple AWS regions. In the event of production data loss, we will restore your data from these backups.

  • Disaster Recovery: In a region-wide outage, we will deploy a duplicate environment in a different AWS region.

Data Transit

  • Data In: All incoming connections to our servers require industry-standard SSL encryption. We do not collect sensitive information such as credit card numbers, IBANs, or SSNs.

  • Data Between Servers: Connections between our servers are encrypted via TLS with AES-256 bit encryption. Secrets like database passwords and API keys are also encrypted using AES-256 bit encryption.

  • Data Out: Responses are sent via HTTPS SSL encrypted connections.

Data Security and Privacy

  • Data Encryption: All data on Nanoheal servers is encrypted at rest using AWS’s Key Management Service. This protects data even if physical storage devices are compromised. Data is also encrypted in transit using HTTPS TLS.

  • Data Retention & Removal: Nanoheal retains data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and support our business operations. Specific retention periods vary depending on the type of data and the applicable legal and regulatory requirements.  

    • Data Retention Policies: Our data retention policies outline the specific timeframes for retaining different categories of data. These policies are regularly reviewed and updated as needed.

    • Data Removal: Users may request the deletion of their data, subject to certain exceptions, such as legal obligations or ongoing contractual relationships. Upon a valid data deletion request, we will securely and permanently remove the data from our systems. Please submit the data deletion requests at privacy@nanoheal.com. Please note that some data may be retained in anonymized or aggregated form for analytical purposes.

  • PII Removal: We do not collect PII on the Nanoheal platform. Server-side filtering is available to prevent the collection of information like system serial numbers.

Security Training

All employees receive comprehensive onboarding and systems training, including security policies, software development best practices, and ethical guidelines. Engineers undergo additional security policy reviews and contribute to policy development through internal documentation. Policy changes are communicated through pull requests and email notifications.

Disclosure Policy

Nanoheal follows the SANS incident handling and response process, encompassing identification, containment, eradication, recovery, communication, and documentation of security events. Customers are notified of data breaches as soon as possible via email and phone, with regular updates provided throughout the incident.

Incident Response Plan

We maintain a well-defined incident response plan with clear roles and responsibilities:

  • Level 1: Initial triage and escalation.

  • Level 2: Security Officer classifies the incident and activates the Security Incident Response Team (SIRT).

  • Level 3: Security Officer or CEO communicates with affected parties.

Our process includes:

  • Triage: Verification of the incident and initial impact assessment.

  • Escalation: Immediate escalation to Level 2 and then Level 3.

  • Classification: Determining the severity and scope of the incident.

  • Investigation: Analysis of the incident to identify root causes.

  • Lessons Learned: Implementing preventative measures and improving future processes.

Feedback

For any questions regarding this page, please contact us at support@nanoheal.com.