Our AI Ethics Principles
These principles guide every aspect of our AI development, from initial design through deployment and ongoing maintenance.
Human-Centered Design
Our AI systems are designed to augment human decision-making, not replace it. Healthcare professionals maintain ultimate responsibility for participant care decisions.
Privacy by Design
Participant privacy is fundamental to our AI development. All AI processing happens within our dedicated secure GCP environment with zero external AI service calls.
Transparency & Explainability
Our AI systems provide clear explanations for their recommendations, enabling healthcare professionals to understand and validate AI insights.
Fairness & Non-Discrimination
Our AI models are regularly audited for bias and trained to provide equitable care recommendations across all participant demographics.
Safety & Reliability
Our AI systems undergo rigorous testing and include multiple safeguards to ensure participant safety and system reliability.
Continuous Improvement
We continuously update our AI systems based on healthcare professional feedback, regulatory changes, and advances in AI safety research.
Security & Compliance Controls
Comprehensive security controls implementing industry best practices for healthcare data protection.
Infrastructure Security
Unique Account Authentication Enforced
Authentication to systems and applications requires unique username and password or authorized SSH keys
Production Application Access Restricted
System access restricted to authorized access only
Production Database Access Restricted
Privileged access to databases restricted to authorized users with business need
Firewall Access Restricted
Privileged access to firewall restricted to authorized users with business need
Unique Network System Authentication Enforced
Authentication to production network requires unique usernames and passwords or authorized SSH keys
Remote Access Encrypted Enforced
Production systems can only be remotely accessed by authorized employees via approved encrypted connection
Network Firewalls Utilized
Firewalls are used and configured to prevent unauthorized access
Network and System Hardening Standards Maintained
Network and system hardening standards are documented, based on industry best practices, and reviewed annually
Organizational Security
Asset Disposal Procedures Utilized
Electronic media containing confidential information is purged or destroyed per best practices with certificates of destruction
Portable Media Encrypted
Portable and removable media devices are encrypted when used
Employee Background Checks Performed
Background checks are performed on new employees
Performance Evaluations Conducted
Managers complete performance evaluations for direct reports at least annually
Password Policy Enforced
Passwords for in-scope system components are configured according to company policy
Visitor Procedures Enforced
Visitors must sign-in, wear visitor badge, and be escorted by authorized employee when accessing secure areas
Code of Conduct Enforced
Formalized Code of Conduct demonstrates importance of integrity and ethical values, included in Employee Handbook
Code of Conduct Acknowledged by New Employees
New employees sign statement signifying receipt, understanding, and agreement to follow Code of Conduct and policies
Product Security
Data Encryption Utilized
Datastores housing sensitive customer data are encrypted at rest
Control Self-Assessments Conducted
Control self-assessments performed at least annually with corrective actions based on findings
Penetration Testing Performed
Penetration testing performed at least annually with remediation plan and vulnerability fixes per SLAs
Data Transmission Encrypted
Secure data transmission protocols encrypt confidential and sensitive data when transmitted over public networks
Vulnerability and System Monitoring Procedures Established
Formal policies outline requirements for vulnerability management and system monitoring
Internal Security Procedures
Continuity and Disaster Recovery Plans Established
Business Continuity and Disaster Recovery Plans outline communication plans to maintain information security continuity
Continuity and Disaster Recovery Plans Tested
Documented business continuity/disaster recovery (BC/DR) plan is tested at least annually
Cybersecurity Insurance Maintained
Cybersecurity insurance maintained to mitigate financial impact of business disruptions
Configuration Management System Established
Configuration management procedure ensures system configurations are deployed consistently
Development Lifecycle Established
Formal systems development life cycle (SDLC) methodology governs development, acquisition, implementation, and maintenance
Board Oversight Briefings Conducted
Board of directors briefed by senior management at least annually on cybersecurity and privacy risk
Security Policies Established and Reviewed
Information security policies and procedures are documented and reviewed at least annually
Incident Response Plan Tested
Incident response plan tested at least annually
Risk Assessments Performed
Risk assessments performed at least annually with threat identification and formal risk assessment including fraud consideration
Data and Privacy
Data Retention Procedures Established
Formal retention and disposal procedures guide secure retention and disposal of company and customer data
Customer Data Deleted Upon Leaving
Customer data containing confidential information is purged or removed from application environment per best practices when customers leave
Data Classification Policy Established
Data classification policy ensures confidential data is properly secured and restricted to authorized personnel
AI Governance
Private AI Processing Only
All AI operations execute within our dedicated secure GCP environment - zero external AI service calls to OpenAI, Anthropic, etc.
AI Model Validation and Testing
Rigorous pre-deployment testing including accuracy, safety, and bias validation across demographic groups
Continuous Bias Monitoring
Ongoing monitoring for AI bias across participant demographics with automated alerting for disparate impact
AI Explainability and Transparency
Plain-language explanations, confidence scores, and source data transparency for all AI recommendations
Human-in-the-Loop Design
AI provides insights while healthcare professionals maintain ultimate decision-making authority
AI Safety Guardrails
Multiple safety mechanisms including graceful degradation, unusual pattern alerts, and manual override capabilities
No External AI Data Sharing
Participant data never transmitted to external AI services (OpenAI, Anthropic, etc.) - all processing remains within our dedicated secure GCP environment
AI Performance Monitoring
Continuous monitoring of AI system performance with automated alerts for accuracy degradation or unusual behavior
Security Controls Summary
Subprocessors & Data Partners
We maintain strict control over data access and work only with trusted partners who meet our security standards.
Infrastructure Partner
Google Cloud Platform
Services Provided
- • Cloud infrastructure hosting
- • Database services (encrypted)
- • Network security and DDoS protection
- • Backup and disaster recovery
Data Access
Google Cloud does not have access to participant data. All data is encrypted with customer-managed keys, and Google personnel cannot access unencrypted data under any circumstances.
Compliance Certifications
Data Processing Commitment
Private AI Processing
AI models run within our dedicated secure GCP environment
Zero External Access
No participant data shared with external AI services
Full Encryption
End-to-end encryption at all times