Information Security Policy

Effective Date: March 16, 2026 — Version 3.0

Public Summary

1. Our Commitment to Security

Natoe Inc., doing business as Natoe AI, is committed to safeguarding the confidentiality, integrity, and availability of all information entrusted to us, including Protected Health Information (PHI) and diagnostic imaging data. As a HIPAA Covered Entity providing diagnostic imaging analysis services primarily to healthcare facilities in the State of Florida, we maintain a comprehensive information security program that meets or exceeds the requirements of the HIPAA Security Rule (45 CFR Part 164, Subpart C).

This document provides a summary of our security practices for healthcare facilities, partners, and other stakeholders. Detailed security documentation is available upon request under appropriate confidentiality agreements.

2. Security Governance

  • A designated Security Officer oversees our information security program.
  • Security policies and procedures are reviewed and updated at least annually.
  • Risk assessments are conducted regularly to identify and address potential threats.
  • Management is actively engaged in security governance and resource allocation.

3. Administrative Safeguards

3.1 Workforce Security

  • Background checks are conducted for all employees and contractors who access PHI.
  • Role-based access controls ensure workforce members access only the minimum necessary information for their job functions.
  • Access is promptly revoked upon termination or role change.
  • All workforce members sign confidentiality agreements.

3.2 Training and Awareness

  • All workforce members complete HIPAA security and privacy training upon hire.
  • Annual refresher training is mandatory for all personnel.
  • Ongoing security awareness communications address emerging threats.
  • Specialized training is provided for personnel with elevated system access.

3.3 Incident Management

  • A documented incident response plan is maintained and tested.
  • Security incidents are investigated, documented, and remediated.
  • Breach notification procedures comply with HIPAA and state law requirements.
  • Post-incident reviews are conducted to prevent recurrence.

4. Technical Safeguards

4.1 Access Controls

  • Unique user identification for all system users.
  • Multi-factor authentication (MFA) required for platform access.
  • Automatic session timeout after periods of inactivity: 15 minutes for clinical platform; 30 minutes for administrative systems.
  • Role-based access controls with principle of least privilege.
  • Regular access reviews and recertification.

4.2 Encryption

  • Data in transit is protected using TLS 1.2 or higher.
  • Data at rest is encrypted using AES-256 or equivalent encryption.
  • Encryption key management follows industry best practices.
  • All diagnostic imaging data is encrypted during transmission and storage.

4.3 Audit Controls

  • Comprehensive logging of all system access and activities, including user identity, timestamp, IP address, cases and imaging studies accessed, reports generated, and all clinical actions performed.
  • Failed login attempts and authentication events are logged for intrusion detection purposes.
  • Audit logs are protected from unauthorized modification or deletion.
  • Regular review of audit logs for suspicious activity, unauthorized access patterns, and anomalous behavior.
  • Audit log retention: Minimum six (6) years per HIPAA requirements.

4.4 Network Security

  • Firewalls and intrusion detection/prevention systems protect our network.
  • Network segmentation isolates sensitive systems.
  • Independent third-party penetration testing conducted at least annually, with scope covering all systems that process, store, or transmit PHI.
  • Vulnerability scanning conducted at least quarterly by qualified personnel, with results reported to the Security Officer.
  • Secure VPN access for remote administration.

4.5 Patch Management

  • Critical security patches applied within seventy-two (72) hours of availability.
  • Non-critical security patches applied within thirty (30) days.
  • Emergency zero-day patches applied within twenty-four (24) hours of discovery.
  • Patch deployment is tracked, tested, and documented for compliance verification.

5. Physical Safeguards

5.1 Server Infrastructure

Natoe AI maintains its own proprietary software stack for processing PHI and diagnostic imaging data, hosted on dedicated server infrastructure at a third-party data center facility. While the software, data management systems, and logical access controls are entirely under Natoe’s control, the physical server hardware is housed at a third-party hosting provider’s facility. This hosting provider is bound by a Business Associate Agreement and subject to the following requirements:

  • Restricted physical access to server facilities with electronic access controls.
  • Environmental controls including climate management, fire suppression, and power backup.
  • 24/7 monitoring of physical premises.
  • Visitor access logging and escort requirements.
  • The hosting provider does not have logical access to PHI; all data is encrypted at rest.
  • Natoe conducts periodic security assessments of the hosting provider’s physical security controls.
  • The hosting provider is required to notify Natoe immediately of any physical security incident.

5.2 Workstation and Device Security

  • Workstations accessing PHI are physically secured and encrypted.
  • Mobile device management policies govern portable devices.
  • Media disposal procedures ensure secure destruction of data-bearing devices.

5.3 Remote Work and Web-Based Platform Access

Many of our radiologists work remotely using personal devices. The Natoe AI platform is a web-based application accessed entirely through a browser — no software installation is required on personal devices, and no PHI is downloaded to or stored on personal devices. The platform enforces the following security controls:

  • Two-factor authentication (2FA) is mandatory for all platform access.
  • Automatic session timeout after 15 minutes of inactivity.
  • All data transmission is encrypted via TLS 1.2 or higher.
  • The platform does not permit downloading, printing, or local storage of PHI.
  • All access is logged server-side, including user identity, IP address, timestamp, cases accessed, and actions performed.
  • Failed login attempts are logged and trigger account lockout after a defined threshold.

Because no PHI resides on personal devices, Mobile Device Management (MDM), full disk encryption, and VPN are not required for platform access. Workforce members are expected to maintain basic device hygiene: current browser and OS updates, strong device passwords, and avoidance of accessing the platform on public or shared computers without logging out and clearing session data.

Screen privacy measures (such as privacy screen protectors or positioned screens) are recommended when accessing the platform in shared or public spaces, as imaging studies are displayed on-screen during interpretation sessions.

6. Business Continuity and Disaster Recovery

  • Business continuity and disaster recovery plans are maintained and tested at least annually.
  • Regular data backups with encrypted off-site storage.
  • Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
  • Redundant systems and failover capabilities for critical services.
  • Incident response tabletop exercises conducted at least annually to assess and improve response capabilities.

7. Vendor and Third-Party Management

  • All third-party service providers with access to PHI are required to sign Business Associate Agreements.
  • Vendor security assessments are conducted before engagement and periodically thereafter.
  • Third-party access is limited to the minimum necessary for service delivery.
  • Vendor compliance is monitored on an ongoing basis.

8. Data Classification

All information is classified into one of four levels to determine appropriate safeguards:

  • Public: Information intended for public disclosure with no confidentiality requirements.
  • Internal: Information for internal use only, requiring basic access controls.
  • Confidential: Sensitive business or operational information requiring elevated safeguards and restricted access.
  • Restricted: Protected Health Information (PHI), patient diagnostic imaging data, and other highly sensitive healthcare information subject to stringent access controls and encryption.

PHI and diagnostic imaging data are classified as Restricted and receive the highest level of protection.

9. Compliance and Certifications

Our security program is designed to align with and comply with:

  • HIPAA Security Rule (45 CFR Part 164, Subpart C) and Privacy Rule (45 CFR Part 164, Subpart E).
  • HITECH Act requirements.
  • NIST Cybersecurity Framework 2.0.
  • NIST Special Publication 800-53 security controls.
  • Applicable state health information security requirements.

We are currently evaluating SOC 2 Type II certification as part of our roadmap for enhanced transparency and assurance to healthcare partners.

Our AI clinical decision support tools have received FDA 510(k) clearance for their intended uses. Natoe maintains documentation of FDA clearance status and regulatory compliance for all AI/ML tools used in clinical workflows.

10. Security Inquiries

Healthcare facilities and partners requiring additional security documentation, including our full security policies, risk assessment summaries, or information regarding our SOC 2 certification status, may submit requests to:

Natoe Inc.
Email: [email protected]

All requests will be evaluated and responded to under appropriate confidentiality agreements.