Compliance & Policies

▪ The Video Interpreting platform is HIPAA compliant
▪ All GCP access accounts use multi-factor authentication in addition to a strong password
▪ Production server credentials are not committed to code; they are provisioned on build server and stored securely
▪ All database queries are properly escaped at database abstraction object/service level, even if query data comes
from a hard-coded string, constant, or other trusted source
▪ API secret keys are not checked in to code repository
▪ MFA shared secrets are not checked in to code repository
▪ Any other key, password, or protected values are not checked in to code repository OK, check regarding CLI API
username and PW are not checked into the code repository
▪ Production database and other non-public servers access is restricted to production servers (no public IP address
for servers)
▪ Production servers can only be accessed through an HTTPS/SSL protocol (port 443) and TLS
▪ We are not storing any customer data. All customer data for billing is sent directly to CLI and deleted from any
MERFI database.
▪ Server logs are sanitized of customer data to prevent information leakage
▪ Server logs are secured on servers, and access is restricted as strongly as any other data
▪ Access to production server is heavily restricted and requires temporary, fully logged permissions for specific
timeframes to prevent internal leaks