Heisenberg Matrix Development Security Statement

Security Statement

HMD Labs (or “company”, “we”, “us” or “our”) creates solutions for tomorrow’s AI/ML enabled medical device companies. Our flagship solution, NeuronSphere®, provides extensible and integrated solutions that allow medical device companies to glean exponential value from large, complex data sets while adhering to compliance and security requirements. This fully managed ecosystem provides a complete toolkit to expedite research and development, and to bring innovative products to market quickly.

We do not collect through our Website, nor in our business, personally identifiable information of consumers.  Further, while we serve as a platform for medical device companies, we do not process any protected health information.  Other than our own personnel’s information, and our customer’s business points of contact, we do not process personal information.

If you wish to receive more information about our NeuronSphere® platform, you can complete the form presented on our website, or contact us at requestinfo@hmdlabs.io  By contacting us, you are consenting to our receipt of your contact information for purposes of recording and responding to your inquiry.  

As a platform as a service provider, we have developed our platform with security in the foremost of our developers’ minds.  We take leading security frameworks (e.g., NIST, ISO, COSO) into consideration while developing and maintaining our platform.  

We do not collect through our Website, nor in our business, personally identifiable information of consumers.  Further, we do not process any protected health information.  Other than our own personnel’s information, and our customer’s business points of contact, we do not process personal information.  

Information Security Management

All employees are required to be well-versed in HMD Labs’ information security management policies, and to comply with those policies in all interactions with our and our customers’ information.  The policy clearly defines acceptable uses of this information and proscribes other, unauthorized uses.

When interacting with HMD Labs and its customers’ information, devices accessing this information must meet HMD Labs’ standards.

Employees working remotely must use either HMD Labs – issued devices, or devices that meet HMD Labs’ standards with appropriate security tools maintained.

Access Controls – To Sensitive Areas, Networks, Servers, Data and Facilities

Access to our various environments and data sets are restricted, based on personnel’s roles and based on a least privilege model.  If personnel change roles or leave the company, their privileges are appropriately altered or revoked, as applicable.

Access to our facilities is restricted; and sensitive areas within our facilities are role-based.

Visitors who are on site are not permitted to be present without being escorted by their company host.  Visitors to our facilities wear identifying badges and cannot roam about the premises unescorted.

All visitors must agree to the HMD Labs’ Code of Conduct and confidentiality agreements.

Vulnerability Management and Detection

Intrusion prevention and detection tools actively monitor HMD Labs’ environment.  Logs are reviewed on a regular basis by HMD Labs engineers and systems are actively scanned.

Firewalls, anti-virus software tools and segregated networks further harden our environment.

Third party tools are patched as needed, after testing patches to ensure compatibility with existing systems.

Incident Response Planning

While HMD Labs implements robust technology solutions, trains its personnel and maintains administrative, operational and technical controls, no company or system is immune from potential attacks.  To this end, HMD Labs has developed an adaptable incident response plan that is tabletop tested.  Personnel are provided guidance as to whom and how to report suspicious activity on our systems to ensure that events are then escalated as necessary intended to quickly identify, contain and eradicate threats to the HMD Labs environment.

Business Continuity and Disaster Recover Policy

HMD Labs has processes and procedures intended to insure business continuity and recovery in the face of natural and man-made disasters.  Systems are backed up remotely, and backups are tested regularly.

Preparations have been made if personnel must work from alternative locations and/or remotely to ensure continuity while maintaining security.

Communication protocols are in place to allow for alternate means of communication with management, staff, vendors and customers as needed.

Data Classification, Retention and Destruction

Data is classified based upon its sensitivity and records are labeled accordingly with the intent to minimize unintended disclosure of sensitive information.  Data is stored in segmented environments within HMD Labs’ ecosystem to reduce the risk of an intruder moving laterally within our environment.

Data retention and destruction policies have been adopted to minimize the retention of data unnecessarily.

Sensitive, confidential records are encrypted at rest and in transit with strong levels of encryption.  Decryption keys are maintained separately.

Employee Life Cycle

New employees are screened and background checks are undertaken.  New employees must undergo cyber security training and review and confirm their understanding of, and agreement with, HMD Labs’ policies and procedures.  Employees are required to have robust passwords and systems are protected by multifactor authentication. Sensitive files and areas are restricted to employees with a need to know, based upon their roles and tasks within the company.

All employees must agree to be bound by HMD Labs’ Code of Conduct and are bound by confidentiality agreements.

Existing employees must undergo annual security training and participate in interim phishing and other security exercises.

When an employee leaves the company, their access credentials, company devices and key cards are all revoked, deactivated and/or returned as appropriate.  Personal devices used to access HMD Labs systems are wiped of company data.

Supply Chain/Vendor Risk Management

Recognizing that many risks are not from within companies’ environments, but from third party vendors and/or disruption of the supply chain, HMD Labs has a vendor vetting and management policy that follows vendors through the relationship life cycle, from onboarding to after termination.

Vendors complete security questionnaires, and where appropriate provide certifications as to meeting identified standards.

At the end of a vendor relationship, Company data is required, contractually, to be deleted or returned, as HMD Labs directs.

Policy Audit and Change Management

Policies, processes and procedures are reviewed at least annually.  If changes are in order or mandated by changes in applicable law, the changes are managed, introduced, implemented and documented.

Exceptions

If a case is made for an exception to a given policy, the same must be formally requested and documented.  If an exception is approved, that approval is only for a stated period, and then must be reviewed and reapproved, or the exception is then revoked.

Third Party Audits

As a new business, HMD Labs completed its SOC 2, Type 1 audit, with no exceptions.  The results of this audit are available to our customers, subject to execution of a confidentiality agreement.

The Company is not a healthcare provider or other entity subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and/or the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and their implementing regulations.  No information you disclose to us via this website or otherwise is protected under HIPAA and/or HITECH.


For further information about HMD’s commitment to security, confidentiality, integrity and availability of its and its customer’s data, please contact nssupport@hmdlabs.io