InsightAlly Security and Compliance Overview
Purpose
This memorandum provides a summary of the security, privacy, and regulatory compliance posture of InsightAlly for prospective customers, partners, and diligence reviewers.
Regulatory and Compliance Alignment
HIPAA
InsightAlly is architected to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. The platform supports use by covered entities and business associates through documented administrative, physical, and technical safeguards, including role-based access controls, least-privilege enforcement, audit logging, and in-boundary handling of protected health information.
SOC 2
InsightAlly’s information security program is aligned with the AICPA Trust Services Criteria. A SOC 2 Type 1 audit is in final stages with the report expected imminently. SOC 2 Type 2 controls are in operation and the corresponding audit is in progress.
HECVAT
InsightAlly aligns with the Higher Education Community Vendor Assessment Toolkit and is completing formal HECVAT documentation. Responses are supported by documented control evidence.
Infrastructure and Hosting
InsightAlly is hosted in a private Amazon cloud environment using HIPAA-eligible AWS services for all workloads involving protected health information. Environments are segregated, secured through private networking controls, and managed through controlled change management processes.
AI and AWS Bedrock Architecture
InsightAlly is hosted in a private Amazon cloud environment using HIPAA-eligible AWS services for all workloads involving protected health information. Environments are segregated, secured through private networking controls, and managed through controlled change management processes.
AI and AWS Bedrock Architecture
InsightAlly uses AWS Bedrock as its managed foundation model layer. AWS Bedrock foundation models are pre-trained, and AWS does not use customer inputs or outputs to train its base models.
Any model fine-tuning involving protected health information occurs solely within a BAA-covered AWS environment using HIPAA-eligible configurations. InsightAlly does not permit training or fine-tuning with PHI outside such environments.
Logging and monitoring services are configured within HIPAA-compliant boundaries. Access logs and workflow logs are protected, retained under policy, and reviewed for audit and incident response purposes.
Only foundation models supported under AWS HIPAA-eligible services are used for PHI workloads. InsightAlly does not route PHI to external third-party model infrastructure outside AWS Bedrock.
Data Protection and Encryption
All data at rest is encrypted using AES-256. Data in transit is encrypted using TLS 1.2 or higher. Encryption keys are centrally managed with role-based access and rotation policies.
Access Controls and Governance
InsightAlly enforces role-based access controls aligned to user personas, multi-factor authentication for administrative access, segregation of duties, and auditable workflow execution.
The platform operates as a governed support layer and does not modify or override customer systems of record.
Incident Response and Third-Party Risk
InsightAlly maintains a documented incident response plan with defined escalation, notification, and remediation procedures. Vendor and service providers are reviewed under a third-party risk management process.
Customer data is not resold, reused, or used for generalized AI model training.
