Twin Health regularly conducts independent third-party Security Assessments to benchmark the company's privacy and security practices, as well as physical, technical, and administrative safeguards. We also perform annual penetration testing and monthly vulnerability scans. Our Security and DevOps teams promptly review and resolve any identified issues. Upon signing a non-disclosure agreement, we are happy to share a summary of these reports.
Twin is SOC2 Type 2 certified by AICPA. A copy of our SOC report is available to customers and partners upon request.
Twin Health is HIPAA compliant. Twin requires that covered entities and business associates sign HIPAA compliant Business Associates Agreements in order to ensure HIPAA compliant treatment of PHI. Every staff member at Twin must complete HIPAA compliance and Security training modules at onboarding and annual thereafter. Our privacy policy is available at Privacy Policy and our Notice of Privacy Practices is available at this link.
Twin Health takes your privacy very seriously and goes to great measures to safeguard the data in our care. We follow a minimum necessary standard for access and usage of PHI data and we have established policy, process, and controls to ensure data is classified, secure, and ethically handled. We adhere to data retention and disposal policies for all data, including electronic and paper records, in compliance with HIPAA regulation, applicable laws, and client contractual agreements.
Overview:
At Twin Health, the safety and security of your organization is of paramount importance to us. We are fully compliant with HIPAA regulations, and we have SOC 2 Type 2 certifications.
Upon signing a non-disclosure agreement, we are happy to share the certifications. To protect customer information, we ensure that all data is encrypted both in transit and at rest. We use AES128 encryption, which provides a strong level of security. When transferring files, we support secure file transfers using SFTP and HTTPS. Additionally, we utilize secure messaging whenever it is appropriate to ensure the privacy and integrity of communication.
Where is the solution hosted?
Twin Health's infrastructure is hosted in multiple availability zones in Amazon Web Services (AWS) and in Google Workspace. All US data is stored in the US and accessed only by US employees. We ensure that all vendors utilized by Twin Health, where PHI may be exchanged, are HIPAA compliant and have signed a Business Associates Agreement.
What is Twin's Disaster Recovery Protocol/Strategy?
Twin Health platform is hosted on AWS and uses multiple Availability Zones for its database, storage and compute infrastructure. This is fully managed by AWS and provides automatic failover when a single geographical site is unavailable. Database snapshots are taken hourly and fully managed by AWS. These snapshots are tested by restoring them to a test environment every month.
Is the hosting environment certified?
Yes, the vendors used by Twin Health have ISO 27001, SOC2 Type 2, and/or HITRUST CSF certifications. We regularly review and verify that the certifications are kept up-to-date, and any findings are promptly resolved.
Do you have an on-premises option?
Twin Health does not utilize physical servers. We have chosen leading industry recognized cloud environments that support auto-scaling, multiple data centers, and multiple Internet providers. Our vendors are responsible for hardware maintenance, security, and environmental controls in their data centers. They have robust business continuity and disaster recovery architectures in place.
What security practices do you employ?
Twin Health is SOC 2 Type 1 Certified and maintains an Information Security program Additionally, Twin incorporates inputs from HIPAA, federal/state regulations, NIST 800-53, HITRUST, and contractual agreements. We adhere to the HIPAA minimum necessary rule to address privacy concerns. 2FA is deployed throughout Twin’s technical landscape for enhanced security.
Does Twin Health use 3rd parties to validate your security protocols?
Twin Health regularly conducts independent third-party Security Assessments to benchmark the company's privacy and security practices, as well as physical, technical, and administrative safeguards. We also perform annual penetration testing and monthly vulnerability scans. Our security and DevOps team promptly review and resolve any identified issues. Upon signing a non-disclosure agreement, we are happy to share a summary of these reports.
Does Twin leverage 3rd parties to deliver services to members?
Twin's does not use 3rd parties or consultants to provide services to members or to maintain its environment. The services offerings are provided to customers and maintained by Twin Health employees.
What kind of authentication do you use?
Twin Health utilizes strong password criteria with mix-casing, alpha-numeric, and special character requirements. Users are required to change passwords every 90 days and cannot reuse passwords. Two-Factor Authentication (2FA) and Single Sign-On (SSO) are employed where appropriate.
What Network / Application Security protocols are in place?
Twin Health employs access controls with explicit "Deny All" rules to manage networks, applications, and systems. We monitor these systems using technologies such as DLP (Data Loss Prevention), IDS/IPS (Intrusion Detection System/Intrusion Prevention System), SIEM (Security Information and Event Management), log reviews, anti-malware software, and firewalls. Regular reviews and audits are conducted to ensure their effectiveness.
What type of encryption does the Twin app use?
All web-enabled transactions requiring user authentication and data transfer are performed using HTTPS with TLS 1.2, Secure Shell v2 (SSH), or Secure File Transfer Protocol (FTPS). Additionally, all data is encrypted both at rest and in transit to provide comprehensive protection.
What system security protocols are in place?
Twin Health ensures that all software, including operating systems, databases, applications, and device drivers, are kept up to date with the latest patches. System hardening principles are implemented to enhance security. We employ advanced malware detection and enforce user, file/registry, and process monitoring.
What physical and staff security measures are in place?
Closing Statement:
Your trust is paramount to us, and we continuously strive to enhance our security practices. If you have any further questions or concerns, please don't hesitate to reach out to our dedicated security team. We appreciate your partnership and remain committed to providing a secure environment for your data.
Thank you for choosing Twin Health.
Tom Calandrino
Chief Information Security Officer
