Security & Data Protection

This document outlines the security, compliance, privacy, and operational controls implemented to protect customer data.

Governance, Risk, and Compliance

Information Security Management System (ISMS)

Genialis operates an ISO/IEC 27001 certified ISMS covering risk management, incident response, access control, and continuous improvement. Security policies, procedures, and controls are formally documented and reviewed regularly as part of management reviews and audits. Security responsibilities are clearly defined across roles, including access management, incident handling, and compliance oversight.

Quality Management System

The organization is ISO 9001 certified, ensuring structured quality assurance and process controls.

Legal & Regulatory Posture

• GDPR: Compliant with EU data protection requirements for personal data processing.

• HIPAA: HIPAA-aware; controls are applied where PHI is processed under contract.

• Data residency and regional compliance are addressed on a per-customer basis

Platform Architecture & Hosting

Genialis Expressions is deployed on Amazon Web Services (AWS) using a shared responsibility model.

• Infrastructure hosted in AWS data centers (US by default; EU region available upon request)

• Logical data isolation between customer environments

• AWS-native network security controls and monitoring mechanisms

• No direct third-party access to customer datasets

AWS is responsible for physical security, underlying infrastructure, and network protection, while Genialis is responsible for secure configuration, access control, encryption, and application-level security. Detailed architecture diagrams and data flow descriptions are available upon request and subject to appropriate confidentiality controls.

Identity & Access Management

Access to systems and data follows the principle of least privilege and a need-to-know basis.

• Role-based access control (RBAC) is enforced across internal systems and the platform.

• All administrative access requires explicit approval by the CTO.

• Access rights are reviewed periodically and revoked immediately upon termination or role change. Authentication controls include:

  • Strong password policies

  • Mandatory multi-factor authentication (MFA)

  • Centralized secrets management using 1Password

All access to production systems and customer data is logged and auditable.

Encryption & Key Management

Genialis applies encryption consistently to protect data throughout its lifecycle.

• Data at rest: Encrypted using industry-standard encryption (AES-256 or equivalent)

• Data in transit: Encrypted using TLS 1.2+

• Temporary credentials: Short-lived credentials are used for cloud resource access

• AWS Key Management Service (KMS)

• Key management: Managed through secure cloud key management services

• Customer data is never transferred via physical media.

Logging, Monitoring & Vulnerability Management

• Application-level and infrastructure-level audit logs are enabled and retained securely.

• Logs include access events, administrative actions, and system activity.

• AWS CloudTrail & S3 access logging

• Security events are reviewed as needed and during incident investigations.

• Vulnerability management:

  • Operating systems and dependencies are kept up to date

  • Third-party penetration testing is performed annually

  • Findings are tracked and remediated according to risk

Incident Management & Breach Response

Genialis maintains a formal Information Security Incident Management process.

• All security incidents (actual or suspected) are recorded and investigated.

• Incidents are classified based on risk and impact.

• In the event of a personal data breach:

  • Customers are notified without undue delay

  • Regulatory notification obligations are supported where applicable

• Incident handling includes:

  • Detection and containment

  • Root cause analysis

  • Corrective and preventive actions (CAPA)

  • Lessons learned

  • To date, Genialis has not experienced a confirmed data breach.

Backup, Disaster Recovery & Business Continuity

• Platform data is backed up regularly to secure, encrypted cloud storage

• Backup restoration procedures are tested at least annually

• Backups are protected with restricted access and encryption

• Business continuity and disaster recovery measures are defined and periodically reviewed

Personnel Security & Awareness

• All employees and contractors are bound by confidentiality and non-disclosure obligations.

• Security awareness training is conducted at least annually and includes:

  • Secure data handling

  • Threat awareness (e.g., phishing, credential misuse)

  • Incident reporting obligations

• Contractors receive equivalent security training prior to being granted access.

Data Protection & GDPR Compliance

Genialis acts as a data processor. Key GDPR-aligned measures include:

• Records of Processing Activities (RoPA)

• Data Processing Agreements (DPA)

• Standard Contractual Clauses (SCCs) where applicable

• DPIAs conducted when required

• Data subject rights handling process

• HIPAA-aligned safeguards when PHI is processed

• Business Associate Agreement (BAA) available upon request

Personal data is processed strictly in accordance with customer instructions and contractual agreements.

Third Parties & Subprocessors

• Genialis does not share customer data with third parties except for essential infrastructure providers (e.g., AWS).

• All subprocessors are assessed for security and data protection compliance.

• DPAs and Standard Contractual Clauses (SCCs) are in place where required.