SECURITY & INFRASTRUCTURE POLICIES
INFORMATION SECURITY POLICY
Issued By: SAHCHI HEARING AND SPEECH SOLUTIONS PRIVATE LIMITED (“Gabify”)
Applies To: All systems, infrastructure, employees, contractors, and Neurolens operations.
1. PURPOSE
This Information Security Policy establishes the security framework used by Gabify to protect:
- Child data
- Clinical data
- Audio and video content
- AI inference data
- User and organizational information
- Operational data
It aligns with:
- DPDP Act, 2023
- IT Act, 2000 & IT Rules, 2011
- ISO 27001 principles
- HIPAA-inspired safeguards
- Responsible AI guidelines
2. SECURITY OBJECTIVES
Gabify commits to maintaining:
2.1 Confidentiality
Unauthorized users must not access sensitive data.
2.2 Integrity
Data must not be altered without authorization.
2.3 Availability
Systems remain accessible and reliable for users.
3. SECURITY GOVERNANCE STRUCTURE
Gabify maintains:
3.1 Information Security Officer (ISO)
Responsible for:
- Overseeing system security
- Approving access
- Ensuring compliance
- Managing incidents
3.2 Engineering Security Team
Responsible for:
- Infrastructure hardening
- Vulnerability patching
- Secure development lifecycle (SDLC)
3.3 Data Protection Committee
Oversees:
- AI safety
- Data minimization
- Privacy risk assessments
- Policy updates
4. RISK MANAGEMENT FRAMEWORK
Gabify performs:
- Annual security audits
- Vulnerability assessments
- Penetration testing (internal/external)
- Cloud configuration audits
- Data Protection Impact Assessments (DPIAs)
Risks are categorized as:
- Low
- Moderate
- High
- Critical
Mitigation plans are documented and monitored.
5. SECURE SOFTWARE DEVELOPMENT LIFECYCLE (S-SDLC)
Neurolens development follows:
- Code reviews
- Threat modeling
- Dependency audits
- Secure coding practices
- Static/dynamic security scans
- Staged deployments
- Automated test suites
Production releases require approval from engineering & security teams.
6. CLOUD INFRASTRUCTURE SECURITY
Gabify uses industry-standard cloud providers (AWS/GCP).
Safeguards include:
- Private VPC
- Firewalls
- Zero-trust architecture
- Network segmentation
- Multi-zone redundancy
- Encrypted backups
All servers meet:
- SOC 2
- ISO 27001
- Tier III+ datacenter certifications
7. ACCESS CONTROL
Gabify enforces:
- Role-Based Access Control (RBAC)
- Principle of Least Privilege
- Mandatory 2FA for internal systems
- Logged and monitored admin activity
- Zero shared credentials
- Annual access reviews
Only authorized staff may view sensitive or AI training data.
8. DATA SEGREGATION
Data is segregated by:
- Institution/tenant ID
- User role
- Access category
- Environment (dev/staging/production)
No production data is used in development environments.
9. SECURITY TRAINING
Employees receive:
- Annual security training
- Privacy workshops
- Phishing simulations
- Secure coding training
NDAs are mandatory for all staff.
10. BUSINESS CONTINUITY & DISASTER RECOVERY
Gabify maintains:
- Automated encrypted backups
- Geographic redundancy
- Failover protocols
- 24x7 infrastructure monitoring
Recovery Time Objective (RTO): <4 hours
Recovery Point Objective (RPO): <1 hour
ENCRYPTION & ACCESS CONTROL POLICY
1. PURPOSE
This policy outlines how Gabify encrypts and controls access to sensitive data, including:
- Audio
- Video
- Child information
- Behavioral recordings
- Assessment summaries
- AI inference data
2. ENCRYPTION STANDARDS
2.1 Encryption at Rest
All sensitive data stored on Neurolens servers is encrypted using:
- AES-256 encryption
- Secure key vault storage
- Automatic key rotation
2.2 Encryption in Transit
Data transmitted between devices and servers is encrypted using:
- TLS 1.2 or higher
- HSTS
- Certificate pinning (where applicable)
3. ACCESS CONTROL MECHANISMS
Gabify enforces:
3.1 Role-Based Access Control (RBAC)
Roles include:
- Institution Admin
- Clinician
- Therapist
- Read-only assistant
- Technical support (limited)
3.2 Access Authorization
Admins may restrict access to:
- Reports
- Videos
- Child-specific notes
3.3 Access Logging
All access to sensitive data is logged:
- Timestamp
- IP address
- User identity
- Action performed
3.4 Session Security
- Automatic session timeout
- Device-based session tracking
- Detection of suspicious activity
4. PASSWORD & AUTHENTICATION POLICY
Users must:
- Create strong passwords
- Not share credentials
- Notify administrators of compromised accounts
Gabify may enforce:
- Multi-factor authentication (MFA)
- Password rotation policies
5. INTERNAL ACCESS RESTRICTIONS
Gabify engineers cannot access patient data unless:
- Required for debugging
- Explicitly authorized
- Logged and monitored
Even then:
- Only de-identified data is used where possible
- Temporary access is revoked after issue resolution
6. DATA EXPORT & SHARING CONTROL
Gabify restricts:
- Download of raw video/audio
- Export of machine learning datasets
- Share via external drives or insecure platforms
Institutions control:
- Who can export reports
- Who can share assessment outputs
INCIDENT RESPONSE POLICY
Outlines Gabify’s method for identifying, responding to, and resolving security incidents.
1. PURPOSE
This Incident Response Policy ensures that:
- Security events are detected quickly
- Containment is immediate
- Impact is minimized
- Clients and authorities are informed in a timely manner
2. INCIDENT classNameIFICATION
Incidents include:
2.1 Severity Level 1 — Critical
- Data breach
- Unauthorized access to child data
- Ransomware attack
- Server compromise
2.2 Severity Level 2 — High
- System outage
- Suspicious anomalous activity
- Failed authentication attempts
2.3 Severity Level 3 — Medium
- Malware detection
- API misuse
- Unauthorized configuration change
2.4 Severity Level 4 — Low
- Non-critical bugs
- Minor policy violations
3. INCIDENT RESPONSE TEAM (IRT)
The IRT includes:
- Information Security Officer
- CTO
- Engineering Lead
- Compliance Officer
- Legal Advisor
4. INCIDENT RESPONSE PROCESS
4.1 Identification
- Automated alerts
- Manual reports
- Log analysis
4.2 Containment
- Disable access
- Isolate systems
- Suspend compromised accounts
4.3 Eradication
- Patch vulnerabilities
- Remove malware
- Reset credentials
4.4 Recovery
- Restore from backups
- Validate system integrity
- Resume operations
4.5 Notification
Institutions notified within 72 hours when a breach involves personal or sensitive personal data.
Authorities notified as required by DPDP Act.
4.6 Post-Incident Review
- Root-cause analysis
- Preventive measures
- Updated controls
5. USER RESPONSIBILITIES DURING INCIDENTS
Institutions must:
- Cooperate with Gabify
- Provide any logs or information needed
- Avoid destroying evidence
- Reset passwords if requested
6. REPORTING INCIDENTS
Users should report:
- Suspicious logins
- Unexpected data access
- Unusual system behavior
to security@gabify.life or info@gabify.life.
AUDIT & LOG RETENTION POLICY
1. PURPOSE
This policy defines how Gabify:
- Logs user activity
- Retains logs for compliance
- Prevents misuse
- Supports forensic analysis
2. TYPES OF LOGS MAINTAINED
Gabify maintains logs for:
2.1 Access Logs
User ID, timestamp, IP, device data.
2.2 Activity Logs
Actions taken within Neurolens:
- Edits
- Views
- Downloads
- Report generation
2.3 Error Logs
System and API failures.
2.4 Security Logs
Authentication events, MFA attempts, anomalies.
2.5 Audit Logs
Administrative changes, role updates, consent tags.
3. RETENTION PERIOD
| Log Type | Retention Duration |
|---|---|
| Access logs | 12–24 months |
| Activity logs | 24 months |
| Security logs | 24 months |
| Audit logs | 36 months |
| Error logs | 6–12 months |
4. LOG ACCESS & USE
Logs are:
- Restricted to authorized staff only
- Used for security monitoring
- Used for internal audits
- Shared with institutions when necessary for compliance
5. LOG INTEGRITY PROTECTIONS
Gabify ensures logs are:
- Tamper-proof
- Encrypted
- Version-controlled
- Stored separately from operational databases
6. EXTERNAL AUDITS
Gabify may undergo:
- Security audits
- Compliance audits
- AI fairness audits
- Codebase evaluations
Institutions may request documentation.
7. CONTACT
Email: info@gabify.life