AWS Well-Architected Framework
Because Customers’ data are important, Viz.ai adopted the “AWS Well-Architected Framework” to ensure that we build the most secure, high-performing, resilient, and efficient infrastructure possible for our application.
AWS’s whitepaper introduces you to the AWS Well-Architected Framework, covering key concepts, design principles for architecting in the cloud, and the five pillars. The appendix includes the current questions for reviewing a workload using the Framework.
The operational excellence pillar focuses on running and monitoring systems to deliver business value, and continually improving processes and procedures. Key topics include managing and automating changes, responding to events, and defining standards to successfully manage daily operations.
Operational Excellence whitepaper
The security pillar focuses on protecting information & systems. Key topics include confidentiality and integrity of data, identifying and managing who can do what with privilege management, protecting systems, and establishing controls to detect security events.
Security Pillar whitepaper
The reliability pillar focuses on the ability to prevent, and quickly recover from failures to meet business and customer demand. Key topics include foundational elements around setup,
Reliability Pillar whitepaper
The performance efficiency pillar focuses on using IT and computing resources efficiently. Key topics include selecting the right resource types and sizes based on workload requirements, monitoring performance, and making informed decisions to maintain efficiency as business needs evolve.
Performance Efficiency whitepaper
Cost Optimization focuses on avoiding un-needed costs. Key topics include understanding and controlling where money is being spent, selecting the most appropriate and right number of resource types, analyzing spend over time, and scaling to meet business needs without overspending.
Cost Optimization whitepaper
This framework provides a consistent approach with which evaluate architectures and provides guidance to help implement designs that will scale with our applications ’ needs over time.
We are audited every six months and certified by Amazon Web Services.
Read more about this Framework here
You can request the audit report here, pending a signed NDA.
From the outset, our cloud infrastructure has complied with the fundamental guidelines and pillars of business continuity:
- • Full redundancy
- • Load balancing
- • Fail-over
Our cloud solution has been designed on high availability-based architecture, in order to be resilient even in cases of disruption. This proven architecture protects services and systems from failure in one or more components and offers a high level of resiliency and business continuity.
For the most part, Viz.ai utilizes Amazon Web Services (AWS) provided flexibility to place instances and store data within multiple Availability Zones within each region. Each AWS Availability Zone is designed as an independent failure zone. In case of failure, automated processes move customer data traffic away from the affected area.
The robust solution provided by Viz.ai is designed to work in parallel with Customers’ current Standard of Care. If the Viz.ai system is unavailable, Customers continue to follow their existing Standard of Care.
Based on this successful architecture, Viz.ai achieved,
Societal security — Business Continuity Management Systems
ISO 22301:2012 is an international standard that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents.
Business continuity is part of overall risk management in a company, with areas that overlap with information security management and IT management.
Viz.ai is the first company in the medical software industry to achieve ISO 22301:2012 certification, demonstrating our commitment to high availability and business continuity.
Reporting Suspected Vulnerabilities
Viz.ai takes security very seriously, and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our cloud services.
- • If you would like to report a vulnerability or have a security concern regarding Viz.ai cloud services please e-mail firstname.lastname@example.org.
A dedicated security team works alongside the Cloud Services team and investigates all reports of security vulnerabilities affecting Viz.ai products and services.
So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability. The information that you share with Viz.ai as part of this process is kept confidential within Viz.ai. It will not be shared with third parties without your permission.
Viz.ai will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outlining the next steps in the process.
Evaluation by Viz.ai
After the report has been submitted, Viz.ai will work to validate the reported vulnerability. If additional information is required in order to validate or reproduce the issue, Viz.ai will work with you to obtain it. When the initial investigation is complete, results will be delivered to you, together with a plan for resolution and public disclosure.
A few things to note about the Viz.ai evaluation process:
- • Confirmation of Non-Vulnerabilities. If the issue cannot be validated, or is not found to be a flaw in a Viz.ai product, this will be shared with you.
- • Vulnerability Classification. Viz.ai uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please see the CVSS-SIG announcement.
Viz.ai is committed to being responsive and keeping you informed of our progress as we investigate and / or mitigate your reported security concern. You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability. You will receive progress updates from us at least every five working days.
If applicable, Viz.ai will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously.
In order to protect our Customers, Viz.ai requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed Customers if required.
Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.
Viz.ai public notifications are in the form of security bulletins, which are posted in here in our Security Trust Center Center. Individuals, companies, and security teams typically post their advisories on their own web sites and in other forums and, when relevant, we will include links to those third-party resources in Viz.ai security bulletins.
Certifications, Policies & Reports
Viz.ai provides third-party attestations, certifications, Service Organization Controls (SOC) report and other relevant compliance reports directly to our customers under NDA.
The Viz.ai ISO/IEC 27001:2013 certification can be downloaded from Viz.ai Trust Center.
The Viz.ai Security Team regularly scans all Internet-facing service endpoint IP addresses for vulnerabilities. The Viz.ai Security Team notifies the appropriate parties to remediate any identified vulnerabilities. In addition, external vulnerability threat assessments are performed regularly by independent security firms. Findings and recommendations resulting from these assessments are categorized and delivered to the Viz.ai leadership.
In addition, the Viz.ai control environment is subject to regular internal and external audits and risk assessments. Viz.ai engages with external certifying bodies and independent auditors to review and test the overall Viz.ai control environment.