Security and Privacy at Calvient
Security is at the heart of what we do. Helping our customers improve their security and compliance posture starts with our own. We build, operate, and maintain our platform with security woven into every layer.
Governance
Calvient's Security and Compliance teams establish policies and controls, monitor compliance with those controls, and prove our security posture to third-party auditors. Our policies are based on the following foundational principles:
Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
Security controls should be implemented and layered according to the principle of defense-in-depth.
Security controls should be applied consistently across all areas of the enterprise.
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
Security & Compliance
Calvient maintains industry-recognized compliance certifications and aligns with leading security frameworks to protect our customers' healthcare data.
Detailed compliance documentation and audit reports are available in our Trust Center.
Data Protection
Data at Rest
All datastores containing customer data are encrypted at rest. Sensitive data is additionally protected with field-level encryption — meaning data is encrypted before it reaches the database so that neither physical access nor logical access to the database is enough to read the most sensitive information.
Data in Transit
Calvient uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also enforce HSTS (HTTP Strict Transport Security) to maximize the security of data in transit. Server TLS keys and certificates are managed by our cloud provider and deployed via secure load balancers.
Secret Management
Encryption keys are managed via cloud-based key management services with hardware security module (HSM) backing, preventing direct access by any individuals. Application secrets are encrypted and stored securely, with access strictly limited to authorized services and personnel.
Product Security
Penetration Testing
Calvient engages with leading penetration testing firms at least annually. All areas of our product and cloud infrastructure are in-scope for these assessments, with source code fully available to testers to maximize effectiveness and coverage.
Vulnerability Scanning
We require vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC):
- Static analysis (SAST) testing during code reviews
- Software composition analysis (SCA) for supply chain vulnerabilities
- Dynamic analysis (DAST) of running applications
- Dependency scanning for malicious packages
Enterprise Security
Endpoint Protection
All corporate devices are centrally managed and equipped with mobile device management (MDM) software and anti-malware protection. We use MDM to enforce secure configurations including disk encryption, screen lock policies, and timely software updates. Endpoint security alerts are monitored continuously.
Identity & Access Management
Calvient enforces strong identity and access management practices. We require multi-factor authentication and utilize phishing-resistant authentication factors wherever possible. Employee access is role-based, granted according to the principle of least privilege, and automatically deprovisioned upon termination.
Vendor Security
Calvient uses a risk-based approach to vendor security. Factors influencing a vendor's risk rating include access to customer and corporate data, integration with production environments, and potential impact to our customers. Each vendor's security posture is evaluated to determine a residual risk rating before approval.
Security Education
Calvient provides comprehensive security training to all employees upon onboarding and annually. All new engineers attend mandatory onboarding sessions focused on secure coding principles and practices. Our security team shares regular threat briefings with employees to inform them of important security updates requiring action.
AI Risk Management
As an AI-powered healthcare platform, Calvient is committed to building safe, transparent, and responsible AI systems. We follow the guidance of leading organizations including NIST and align with the NIST AI Risk Management Framework.
Transparency
We maintain clear documentation of how our AI models are trained, what data they process, and how decisions are made — ensuring our customers always understand the technology working on their behalf.
Human Oversight
Our AI systems are designed to augment human decision-making, not replace it. Critical clinical and operational decisions always maintain a human-in-the-loop safeguard.
Bias Mitigation
We proactively test for and mitigate bias in our AI models to ensure equitable outcomes across diverse patient populations and healthcare settings.
Continuous Monitoring
Our AI systems are continuously monitored for performance, accuracy, and safety. We maintain robust feedback loops to quickly identify and address any anomalies.
Data Privacy
At Calvient, data privacy is a first-class priority. We strive to be trustworthy stewards of all sensitive data — especially the protected health information (PHI) entrusted to us by our healthcare partners.
Visit Our Trust Center
For detailed security documentation, compliance certifications, penetration test summaries, and audit reports, visit our comprehensive Trust Center powered by Vanta.