Security Policy

Security, compliance, and privacy is the number one priority at Cass. Naturally, we are HIPAA-compliant, SOC2 certified, and have engineered our architecture to handle sensitive information from the ground up. We ensure that you are kept completely safe, secure, and invisible to others. 

Security is an evolution, and not just something that is installed. We constantly update our threat profiles, patch our software, run disaster simulation exercises, and regularly penetration-test our servers. Our philosophy is to assume a breach; thus we implement an aggressive defense-in-depth security strategy that includes everything from effective password hashing to complex countermeasures. It is important to remember that compliance does not imply security; good security is always compliant. 

SECURITY PROTOCOLS

Below you will find details of our security protocol and adopted standards that have been cleared for public release for the sake of transparency. 

X.509 / TLS

We secure all data in transit via TLS, and use versions 1.2 and 1.3  to ensure data security. 

SERVER ACCESS

All Cass servers are audited daily for compliance and vulnerabilities. Access to sensitive servers is limited to those who require it for their job function, and requires a VPN.

ADMINISTRATION / CUSTOMIZATION PLATFORM ACCESS

All systems log the date and time for all failed user attempts and for all successful user attempts to access the system. 

PHYSICAL SECURITY ELEMENTS

Our offices have a security guard at the entrance and require badge access or visitor registration upon entry. Our computers are password protected and can be wiped remotely if needed. 

Our servers are housed in AWS Data Centers.

DATA DELETION

All PHI that is no longer required for the intended and agreed upon scope is deleted immediately and securely. Users can request data deletion at any point. For secure printed data deletion, we enforce the use of a Security Level P-5 shredder, although documents with a high sensitivity are incinerated. 

EMPLOYEE TRAINING

All employees with access to sensitive data are trained to follow audited Incident Response plans, Disaster Recovery and Business continuity plans, and follow a strict model of least privileged access. 

ALWAYS-ON AUDITING

Vanta is used as our active auditing platform. Control owners are notified immediately if policies and procedures diverge from expectations. 

PRIVACY POLICY

Customize your privacy settings to suit your company preferences and control how your information is collected and used.

FAQ

Below are the answers to common concerns we've heard from patients, psychologists, and lawyers. 

ARE YOU HIPAA-COMPLIANT?

Yes, so long as you are on Cass's network. This includes cass.ai but does not cover any communication through third-party channels, such as SMS, Facebook Messenger, and WhatsApp (Signal by Open Whisper Systems is the only exception to this rule). Our servers that handle patient health information are dedicated. For more information, please refer to part 160, part 162, and part 164 of the United States Code of Federal Regulations. 

DO YOU COMPLY WITH DATA PROTECTION REGULATIONS?

Yes, we are HIPAA-compliant, and have engineered our architecture to handle sensitive information from the ground up, meaning that we vastly-exceed regulatory specifications in most areas. We encrypt all data with at least 256-bit asymmetric or 4096-bit symmetric keys. 

DOES THIS SERVICE COMPLY WITH ESTABLISHED STANDARDS?

Yes, we are HIPAA-compliant, and have engineered our architecture to handle sensitive information from the ground up, meaning that we vastly-exceed regulatory specifications in most areas. 

ARE YOU SOC2 CERTIFIED?

Yes, we maintain an audited SOC2 certification and an always-on validation platform Vanta to guarantee that we follow our policies and procedures. 

WHERE CAN I READ YOUR SOC2 REPORT?

You can read it here on Cass's Vanta Trust Center dashboard.

CAN YOU INTEGRATE WITH OUR EHR or HR CRM? 

Yes, we can.

ARE MY CONVERSATIONS ANONYMOUS?

This is possible if you refrain from saying your name, and you’re using Cass on the web. Other communication protocols require information such as a phone number or a Facebook profile. 

HOW CAN I TELL IF I AM LEAKING INFORMATION?

Use our Brief Exposure Check, safe in the knowledge that your data will not be collected. Be careful with websites offering similar checks, many harvest your information. Remember, this data is a best guess, and can vary from browser to browser.