Security Program
Our customers trust us to act as a custodian of sensitive patient and customer information. We are honoured to have that trust placed in us and consequently take our responsibility to protect that information extremely seriously. We use our Privacy and Security Programs to ensure the confidentiality, availability and integrity of information. Our Security Team runs our Security Program and maintains this page for stakeholders interested in the Security Program.
ISO/IEC 27001
Our solution is certified in accordance with the ISO/IEC 27001:2013 standard for Information Security Management Systems (ISMS), demonstrating our commitment to protecting private health information, quality, and governance.
Please contact the security team by emailing security@cardihab.com if you have any questions or concerns that are not addressed in our Frequently Asked Questions (FAQ).
Vulnerability Disclosure
Cardihab welcomes the responsible disclosure of vulnerability reports from anyone who finds a security issue with our products. We look forward to working with the security community to resolve security vulnerabilities so we can keep patient information safe and continuously improve our security practices.
How to Submit your Report
- Please send your report to security@cardihab.com (preferably encrypted with our public PGP key).
- Be sure to include relevant details in the report, such as platform, app/server version, necessary conditions for the exploit to work, a description with proof of concept or exploit code, the impact of the issue if exploited, etc.
- Do not contact individual Cardihab staff directly.
- Report only one vulnerability per email.
If we have any questions related to the report, we’ll be sure to let you know.
Response Targets
Cardihab will make a best effort to meet the following response targets for researchers contributing to our program:
- Time to first response (from report submit) - 5 business days
Program Rules
Cardihab appreciates all the help it can get to keep the patient data safe and improve our security. However, please do not:
- Violate any laws.
- Socially engineer our employees, customer support team, patients or customers.
- Access, modify, or reveal or damage the account or data of Cardihab customers.
- Damage or compromise the integrity of our system.
- Run tools that degrade our services for our customers.
- Openly disclose vulnerabilities without the consent of Cardihab.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
- Denial of Service vulnerabilities (DoS)
- Attacks requiring MITM or physical access to a user's device.
- Security bugs in third-party sites and software that integrate with our products
- Insecure cookie handling
- Spam or social engineering techniques
- Issues related to email spoofing
Safe Harbour
Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keeping patient data safe!