Security and Data Privacy at 4good.ai
At 4good.ai, the security of your data is our top priority. We are committed to maintaining a strong security program that protects your information and earns your trust. This page outlines our security posture, compliance with industry standards, and the measures we take to safeguard your data across our products and infrastructure.
Compliance Frameworks
4good.ai is committed to adhering to globally recognized security and privacy standards. We undergo regular independent audits to validate our security controls and demonstrate our compliance.
SOC 2 Type II
We are SOC 2 Type II compliant. Our systems and processes have been independently audited and verified to meet the trust services criteria for security, availability, and confidentiality established by the AICPA.
GDPR
We are committed to the principles of data protection and privacy for our users in the European Union. 4good.ai is actively working towards full compliance with the General Data Protection Regulation.
HIPAA
4good.ai is HIPAA compliant, ensuring that we have the necessary administrative, physical, and technical safeguards in place to protect sensitive Protected Health Information (PHI) for our customers in the healthcare industry.
EU-US Privacy Framework
To support our customers in the European Union and beyond, 4good.ai is working to certify its compliance with the EU-U.S. Data Privacy Framework (DPF).
Product Security
Security is a fundamental part of our product development lifecycle. We architect our products with a security-first mindset to protect your data and ensure platform integrity.
Secure Development Lifecycle
We incorporate security at every stage of development, from design and coding to testing and deployment, to build secure products from the ground up.
Single Sign-On (SSO)
We provide robust SSO integration, allowing you to enforce corporate authentication policies and streamline user management via your identity provider (e.g., Okta, Azure AD).
Role-Based Access Control (RBAC)
Assign granular permissions to users and groups to ensure they only have access to the data and features necessary for their roles. Tailor access rights precisely to your organizational structure and security requirements.
Audit Logs
We maintain a comprehensive and immutable record of critical user and system activity across our platform. Our security team actively monitors these logs to detect suspicious behavior and investigate potential threats.
Data Security
We employ robust technical and procedural measures to protect your data at all times. Our policies are designed to provide clarity and control over how your information is handled.
Data Encryption
In Transit:
All data is encrypted using TLS 1.2 or higher
At Rest:
We utilize the industry-standard AES-256 encryption algorithm
Data Backup and Recovery
By default, we perform regular, automated backups of your data and have established, tested procedures to ensure a timely recovery in the event of a disaster or data loss event.
Data Segregation
Your data is always kept logically separate from other customers' data in our multi-tenant architecture, ensuring strict data isolation and privacy.
Zero Data Retention for Maximum Privacy
For customers with the highest data privacy requirements, we offer a Zero Data Retention option. When this option is enabled, your data is processed in-memory and is never stored on our systems or by our sub-processors.
This ensures that your sensitive documents are used exclusively for the processing and are immediately discarded, providing the highest level of data privacy. With this option, customers may request a Business Associate Agreement to support processing of Personal Health Information (PHI).
Application & Network Security
4good.ai is designed as a secure, cloud-native platform. Our network infrastructure is hosted on trusted cloud providers, leveraging serverless technology within an isolated Virtual Private Cloud (VPC).
Zero Trust Architecture
This modern foundation is governed by zero-trust principles, meaning we do not automatically trust any entity inside or outside our network. By enforcing strict verification for every access request, including multi-factor authentication (MFA) and the principle of least-privileged access, we create a robust security framework.
Security Events Monitoring
We leverage cloud threat intelligence and monitoring tools to detect anomalies and potential security threats in real-time, ensuring continuous protection of our systems and your data.
Regular Penetration Testing
We engage independent, third-party security experts to conduct regular penetration tests of our applications and infrastructure to identify and address potential vulnerabilities.
DDoS Mitigation
We have implemented advanced measures to protect against Distributed Denial of Service (DDoS) attacks and ensure high service availability for our customers.
Operational & Organizational Security
Security is a shared responsibility at 4good.ai, and we have implemented strong internal security practices to protect your data and maintain the integrity of our systems.
Employee Security Training
All employees receive comprehensive security awareness training upon hiring and on an ongoing basis to ensure they understand their role in protecting customer data.
Background Checks
We conduct thorough background checks on all new employees as a condition of employment, in accordance with local laws and regulations.
Patch Management
We handle all application-level patches and updates as an integral part of our weekly bug triage and release process, ensuring that security fixes are deployed promptly and efficiently.
Incident Response Plan
We have a well-defined and regularly tested incident response plan to ensure a swift, effective, and coordinated response to any potential security incident.
Vendor Security Management
We conduct security assessments of all our vendors and subprocessors to ensure they meet our security and data protection standards.
Vulnerability Scanning
We continuously scan our systems and code for vulnerabilities to identify potential issues before they can be exploited.
Trust Center & Documentation
For a more detailed look at our security and compliance posture, and to request access to our security documentation, including our SOC 2 report, please Contact Us.