Security
Your data privacy is of the highest importance to Array Insights. Because it’s yours.
No data brokerage. No data profiteering. It’s advocacy, without compromise.
As an agnostic software and service provider, Array Insights uses a pioneering form of patient-centric AI technology to ensure that the security and privacy of patient data stay at the forefront of your mission.
So how do we do it?
Tallulah enables collection and analysis of unstructured narrative, video and voice data in multiple languages for broader patient representation – and nobody has access to your data but you.
Accelerate your organization’s goals with technology that puts patient privacy first.
Here’s how it works:
- Tallulah allows you to securely collect and store patient or caregiver story data
- Tallulah then securely analyzes your data using artificial intelligence, but no third-party AI software retains or trains on your data. Your data is stored securely in your own instance of our platform.
- You then have access to insights into your data that allow you to better serve your community.
Data Security
Data can be in one of three states and needs to be secured in each of these states:
In-storage or at-rest, In-transit, In-use (computation)
Stored data is encrypted
Data in transit is encrypted using TLS
Data is encrypted in RAM and only decrypted in CPU
Data Security during storage
The Array Insights platform uses AES GCM 256 Keys to encrypt every dataset and assigns a unique set of keys to secure the contributed data. One RSA 4096 key is allocated for each data submitter, such as hospitals, for each federation. This RSA key encrypts the AES keys generated for each dataset. If the data submitter decides, they can revoke the RSA keys, which will render all the datasets locked permanently and unusable by the platform. All the keys used remain within the platform and never leave its boundary.
Data Security in transit
As it transports over the network, data is encrypted using TLS. TLS is a well-known cryptographic protocol that provides end-to-end security of data sent between applications over the Internet. The platform uses digital signatures to ensure the identity and integrity of data throughout the platform.
Data Security in-use
The data is decrypted only during analysis. The data and code (computation) live in an Azure Confidential Compute machine (AMD processors with SEV-SNP enabled). These machines offer protection of data in use by performing computations in a hardware-based Trusted Execution Environment (TEE).
A TEE environment enforces the execution of only authorized code and any data in the TEE can’t be read or tampered with by any code outside that environment, reducing the ability for a cloud provider operator and other actors to access code and data while being executed.
In addition, Azure offers an attestation solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. Attestation is a critical component of confidential computing as it ensures that only trusted components can access sensitive data or perform sensitive operations in a secure computing environment.
HIPAA
Achieved Compliance October, 2024
Our team has partnered with Insight Assurance to complete the HIPAA Security Rule Assessment.
SOC 2
Achieved Compliance October, 2024
Our team has partnered with Insight Assurance to complete SOC2 Type 1 examination.
SOC2 Type 2 examination in progress.
GDPR
GDPR documentation and technical information for UK and EU customers can be found here.
Risk Management
Our risk management policy covers the administrative, physical, and technical processes that enable and govern any PHI and PII that is created, maintained, received, or transmitted by Array Insights.
Incident Response, Disaster Recovery and Business Continuity Plans
IR, DR, and BC plans are in implemented at Array Insights. These plans are tested and reviewed at least annually in compliance with industry best practices.
Information Security Management Program
We have documented and implemented an ISMP following HIPAA, GDPR and HITECH control framework.
Product Security
Tallulah is built to grow and further expand your mission of patient advocacy.
Privacy and Security Training
All employees are required to undergo security and privacy training through a designated third-party. Training initially takes place as part of the onboarding process and all employees receive annual training.
Employee Background Checks
Background checks are performed on all Array Insights employees during the hiring process.