Trust Our Work
Information Security
Certifications & Standards
AI Principles & Practices
Information Security
Onpoint’s Information Security Program protects our clients’ data at every stage of the processing and storage pipeline. Backed by decades of secure operations for state and federal agencies, our certified framework is aligned with leading industry standards and strengthened through continuous testing and expert oversight.
Our Commitments to Data Protection
Onpoint’s security protocols are founded on four core commitments to keep data safe, secure, reliable, and responsibly used.
Secure Infrastructure & Solutions
We build industry-leading solutions that are carefully layered, continuously monitored, and architected to meet the highest security standards.
- Hosted in FedRAMP-compliant, SOC 2-certified cloud environments
- End-to-end encryption for data in motion and at rest
- Advanced threat detection with 24/7 monitoring
- Security-first practices reinforced through ongoing training for all staff
Privacy Protections & Protocols
We minimize access, protect every identifier, and ensure that privacy is preserved throughout the entire data lifecycle.
- Role-based controls that limit access using “minimum-necessary” standards
- Multi-factor authentication for reinforced access control and identity verification
- PHI/PII protection measures, including field-level masking and data segmentation
- Comprehensive audit logging for continuous monitoring, tracking, and accountability
System Stability & Resilience
We engineer our systems for stability, resilience, and uninterrupted availability, even in the face of unexpected events.
- Daily encrypted back-ups with versioned data storage
- Disaster-recovery plans and procedures for rapid restoration
- Redundant cloud architecture for high availability and scalability
- Proactive monitoring to detect issues before they can impact users
Data Care & Stewardship
We perform our work with an unmatched commitment to the care and custodianship of our clients’ data, putting responsible data handling at the heart of everything we do.
- Strict data segregation so each client’s information remains fully isolated
- No local or on-premises storage of sensitive information
- 24/7 monitoring of role-based data access and permission controls
- Formal governance processes with regular policy reviews and risk assessments
Certifications & Standards
Privacy and security are core priorities at Onpoint, which is why our systems and solutions are built with rigorous safeguards, continuous monitoring, and proactive privacy protections.
Guided by national and federal frameworks, our security practices are embedded in both our technology infrastructure and our corporate culture, ensuring that our clients’ data are protected throughout collection, transmission, processing, delivery, and reporting.
Our robust Information Security Program has successfully achieved both HITRUST CSF® Certification – the elite, gold standard in health data security – and Qualified Entity Certification Program (QECP) security compliance from the U.S. Centers for Medicare & Medicaid Services (CMS). Onpoint also serves as the CMS Data Custodian for many of our clients, offering more than 15 years’ experience successfully satisfying all terms and conditions contained in our clients’ negotiated Data Use Agreements and Data Management Plans with CMS.
Secure Solutions Using Best Practices
Onpoint’s systems and solutions are deployed exclusively within Amazon Web Services (AWS) using FedRAMP-compliant, SOC 2-certified cloud services and industry-leading physical and technical protections. All systems are designed with layered security architecture to ensure the confidentiality and integrity of protected data. Safeguards include:
End-to-End Encryption
Sensitive data are encrypted both at rest and in transit using NIST-approved algorithms, additional encryption layers, and secure transmission protocols.
Isolated Storage
Each client’s data are hosted in isolated environments within virtual private clouds that are separated into distinct functional tiers and protected using layered firewalls and Intrusion Detection and Prevention Systems.
Deliberate Redundancy
Encrypted, automated nightly back-ups are performed for all production databases, and disaster recovery tests are regularly conducted to confirm continuity and rapid restoration capabilities.
Continuous Monitoring
Onpoint employs continuous monitoring through cloud-certified engineers and trusted third-party security partners. Logs are analyzed in real time to detect and respond to anomalies, and all systems undergo regular external penetration testing and third-party audits.
Role-Based Access
Data access is rigorously controlled using role-based privileges, “minimum necessary” standards, and multi-factor authentication (MFA) for all user and administrator end points.
Ongoing Vigilance
Onpoint’s staff undertakes mandatory, annual HIPAA, HITECH, and security awareness training, supplemented by ongoing phishing simulation exercises, logging of all system activity, third-party testing, and monthly meetings of our security team to review evolving threats, emerging risks, and corrective actions.
AI Principles & Practices
Onpoint is committed to the responsible, transparent, and ethical incorporation of artificial intelligence (AI) across our platforms and services when appropriate. We leverage AI to enhance, not replace, the judgment of the human analysts, researchers, and policymakers who depend on our data, solutions, and services.
Data privacy comes first.
No external AI tool has access to Onpoint’s systems or data; all models operate within our secure, client-specific environments with no access to the general internet.
Transparency precedes use.
Any AI-assisted process is designed, tested, reviewed, documented, and explainable both internally and externally.
Human oversight is required.
Onpoint staff validate all AI-generated code, insights, and recommendations using a multi-step process prior to incorporation into any service or solution.
How We Use AI
Enhance anomaly detection and quality validation using machine learning
Support AI-driven workflows for users within our secure analytics platform
Enhance and streamline UI/UX design and software development processes
Power AI-chat analytic assistants that help users explore approved data sets
All AI usage rigorously complies with Onpoint’s Information Security program as well as applicable client-specific agreements and state and federal requirements.