Access Control Policy: Defines permissions and access levels to ensure only authorized personnel can access sensitive data and systems.

Data Management Policy: Outlines the handling, storage, and disposal of customer and internal data to protect confidentiality, integrity, and availability.

Human Resource Security Policy: Covers security training, background checks, and onboarding/offboarding practices, ensuring team members meet Scispot’s security standards.

Incident Response Policy: Provides structured procedures for detecting, containing, and managing security incidents, including clear guidelines for customer notifications.

Acceptable Use Policy (AUP): Establishes rules for responsible use of Scispot’s systems and data to prevent misuse and uphold a secure environment.

Vendor Management Policy: Ensures all third-party vendors meet Scispot’s security standards, with periodic assessments to manage potential risks from external providers.

Mobile Device Management (MDM) Policy: Sets security and compliance requirements for devices accessing Scispot’s systems, enforcing encryption, access control, and data wiping capabilities.

Secure Development Lifecycle (SDLC) Policy: Defines security practices embedded throughout the software development lifecycle, from initial coding to deployment.

Physical Security Policy: Details physical access controls to secure facilities where systems and data are stored, preventing unauthorized physical access.

Privacy and Confidentiality Policy: Reinforces Scispot’s commitment to protecting customer data privacy, ensuring compliance with HIPAA and SOC 2 confidentiality requirements.

Onboarding: During onboarding, every new Scispot employee undergoes background checks and completes cybersecurity and compliance training covering data protection, incident response, and privacy policies. Access permissions are assigned based on role requirements, adhering to the least privilege principle.

Offboarding: When an employee or contractor exits Scispot, their access to systems, data, and physical locations is immediately revoked. This includes deactivating accounts, reclaiming devices, and removing access. Additionally, Scispot notifies customers if any individual’s access to their specific data is removed.

Threat Identification and Vulnerability Testing: Regular vulnerability scans and code reviews are conducted to identify security threats early in development. Our team uses both automated tools and manual assessments to test for potential weaknesses.

Change Control and Documentation: Each code change undergoes a formal review and approval process, ensuring that all updates are secure and documented. Scispot maintains a changelog that tracks software modifications for transparency and auditability.

Continuous Improvement: Post-deployment, Scispot continuously monitors applications for vulnerabilities, leveraging Vanta’s real-time monitoring to maintain a proactive stance against new threats. This allows us to identify, test, and remediate security issues efficiently.

Role-Based Access Control (RBAC): Access to customer data and systems is controlled via RBAC, assigning permissions based on individual job functions. All access is granted following the principle of least privilege, ensuring users have only the access necessary for their role.

Multi-Factor Authentication (MFA): MFA is required for all employees accessing Scispot’s systems, adding an additional layer of security. Each user is issued unique credentials to prevent unauthorized shared access.

Quarterly Access Reviews: Access permissions are reviewed quarterly to validate that only current, authorized personnel maintain access to sensitive data.

Incident Response Plan: Scispot has a documented incident response plan covering detection, containment, mitigation, and communication. Our response team is trained to act quickly in the event of an incident, with predefined protocols for notifying affected customers.

Real-Time Monitoring with Vanta: Using Vanta, Scispot continuously monitors all systems, detecting any anomalies or suspicious activities in real time. Alerts are triggered for unusual access or configuration changes, enabling proactive response to potential incidents.

Post-Incident Review: Following each incident, Scispot conducts a post-incident review to identify root causes and implement improvements, reinforcing our commitment to ongoing security.

Data Flow Mapping: Scispot documents the flow of customer and internal data, tracking each data entry, transfer, and storage point. This mapping provides clear visibility into data handling processes, ensuring compliance and data integrity.

Asset Inventory and Tagging: Using Vanta’s integration with AWS, Scispot maintains an up-to-date inventory of hardware and software assets, with automated tagging for easy tracking. Critical assets are prioritized for enhanced monitoring and security.

Device Management: All devices accessing Scispot’s systems are managed via Mobile Device Management (MDM), enforcing compliance with security policies and minimizing risks of data leakage.

Annual SOC 2 and HIPAA Audits: Scispot undergoes yearly SOC 2 and HIPAA audits to validate our compliance with these standards. These audits cover all key controls, from access management to data encryption, ensuring continued alignment with industry requirements.

Continuous Employee Training: Scispot’s workforce participates in regular security and compliance training, including HIPAA, SOC 2, and CFR Part 11 requirements. This program includes modules on identifying phishing attacks, secure data handling, and understanding incident response protocols.

Security Reminders and Phishing Simulations: To reinforce key security practices, Scispot issues regular reminders and conducts phishing simulations, ensuring all employees remain vigilant and security-aware.