Trust Center
At CIVIE, we understand that security and compliance are the foundation of modern healthcare. We are committed to protecting the data of our partners and their patients through a rigorous, multi-layered security framework.
Message from Our CISO
James Moore, Chief Information Security OfficerAt the heart of everything we do is our commitment to our patients. Achieving HITRUST Certification means we have met the most stringent requirements for protecting patient information and privacy. Our security program is not just about compliance—it’s about earning and maintaining the trust of every patient and partner who relies on CIVIE. We continuously invest in people, processes, and technology to ensure that trust is never compromised.
Compliance & Certifications
Our certifications demonstrate our commitment to the highest standards of security and compliance.
HITRUST CSF Certified
We have achieved HITRUST CSF® certification, the gold standard for security in the healthcare industry. This certification demonstrates that our systems meet the highest standards for data protection and risk management by harmonizing requirements from HIPAA, NIST, and ISO.
HIPAA Alignment
Our platform and processes are fully aligned with the Health Insurance Portability and Accountability Act (HIPAA). We maintain strict administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of Protected Health Information (PHI).
Future Roadmap: SOC 2
As part of our commitment to continuous improvement, we are on the roadmap for SOC 2 Type II attestation to further validate our internal controls related to security, availability, and confidentiality.
Governance & Leadership
Security is a top-down priority at Civie. Our security and privacy programs are led by dedicated executive leadership:
Chief Information Security Officer
- Oversees enterprise-wide security strategy and architecture
- Leads incident response and risk management programs
- Reports directly to executive leadership on security posture
Chief Compliance Officer
- Ensures ongoing regulatory alignment and audit readiness
- Manages compliance frameworks including HIPAA and HITRUST
- Coordinates with legal and privacy teams on data protection
Cloud-Native Infrastructure
Built on enterprise-grade infrastructure with defense-in-depth security controls.
Azure Powered Security
CIVIE is a cloud-native organization built on Microsoft Azure. This architecture allows us to leverage enterprise-grade security features to consolidate and protect data. By utilizing Azure’s global infrastructure, we ensure high availability, redundancy, and advanced encryption both at rest and in transit.
Data Encryption
At Rest
All sensitive data, including PHI, is encrypted using AES-256 encryption standards.
In Transit
Data transmitted between our systems and our customers is protected using industry-standard TLS 1.2 or higher encryption protocols.
Business Continuity & Disaster Recovery (BCDR)
Our Azure-native architecture provides built-in resilience. We maintain a comprehensive Business Continuity and Disaster Recovery (BCDR) program that includes:
Secure Development Lifecycle
We follow a Secure Software Development Lifecycle (SDLC) based on global best practices, including:
Code Reviews
All changes undergo peer review to reduce defects and catch security issues before release.
Penetration Testing
We conduct regular penetration testing via authorized vendors to identify vulnerabilities and prioritize remediation based on risk.
Third-Party Risk Management
We hold our vendors to the same high standards we set for ourselves:
Vendor Assessments
We evaluate vendors’ security posture and contractual controls before onboarding and throughout the relationship.
Ongoing Monitoring
We leverage technology to maintain continuous visibility into our vendors’ security postures, utilizing its real-time security ratings to proactively monitor and manage third-party risk across our entire supply chain.
Endpoint & Data Protection
Comprehensive protection for all devices and data access points.
Incident Response & Transparency
Prepared to detect, respond to, and communicate about security incidents.
Formal Incident Response Plan
CIVIE maintains a formal Incident Response Plan (IRP) that is reviewed and tested annually. We are committed to transparent communication in accordance with HIPAA and other applicable regulations.
- 24/7 incident response team with defined escalation paths
- Annual testing and tabletop exercises to validate response procedures
- HIPAA-aligned breach notification and communication commitments to affected parties
24/7/365 Monitoring & Operations
Round-the-clock vigilance to detect and respond to threats in real-time.
SIEM & SOC
All system events and logs are ingested into our Security Information and Event Management (SIEM) platform. This system is monitored 24x7x365 by security professionals to ensure real-time detection and response to anomalous activity.
The Human Firewall
Technology is only one part of our security program. We invest heavily in our people to ensure they are the first line of defense:
- Quarterly Training: Mandatory quarterly training for all employees focused on HIPAA compliance and cybersecurity best practices
- Phishing Simulations: Regular simulations to maintain vigilance against evolving social engineering threats.