Security built into how Sobah Systems operates
Sobah Systems maintains a security and privacy program designed to protect the confidentiality, integrity, and availability of customer data. Our controls are structured to support readiness for SOC 2, HIPAA , NIST and ISO 27001 obligations and to provide customers with a clear understanding of how we secure our systems and services.
Security overview
Security at Sobah Systems is supported through documented policies, defined responsibilities, secure infrastructure, controlled access, and ongoing monitoring. We apply layered safeguards intended to reduce risk and support customer trust, especially for regulated healthcare workflows.
Governance and risk management
Our security program is supported by internal governance processes for risk identification, control ownership, incident management, change oversight, and periodic review of security-related responsibilities.
Core principles
- Access is granted based on business need and the principle of least privilege.
- Security controls are layered according to a defense-in-depth approach.
- Changes to systems and access are reviewed through defined processes.
- Security events are logged, triaged, and escalated through incident response procedures.
- Customer data handling is governed by privacy, confidentiality, and contractual obligations.
Administrative safeguards
Administrative controls help establish accountability, oversight, and repeatable security practices across the organization.
Policies and procedures
Documented policies and supporting procedures govern information security, access control, incident response, risk management, change management, and business continuity activities.
Access lifecycle management
User access is provisioned according to job responsibilities and is subject to approval, modification, and timely removal through defined onboarding and offboarding processes.
Security awareness
Personnel receive security and privacy awareness training aligned to their responsibilities, including onboarding and periodic refresher training.
Technical safeguards
Technical controls are implemented to help secure systems, manage access, protect data, and support traceability.
Encryption
Customer data is protected using encryption in transit over modern TLS and encryption at rest within supported storage and platform services.
Identity and authentication
Access to business systems and administrative functions is controlled through centralized identity processes, multi-factor authentication, and role-based permissions.
Logging and monitoring
Relevant security and operational events are logged and reviewed to support alerting, investigations, troubleshooting, and security oversight.
HIPAA readiness
Sobah Systems supports healthcare customers by maintaining safeguards intended to align with HIPAA security expectations for protecting electronic protected health information when applicable to the services provided.
| HIPAA area | How Sobah Systems addresses it |
|---|---|
| Administrative safeguards | Risk management activities, security responsibilities, access procedures, training, and incident response processes support administrative oversight. |
| Technical safeguards | Identity controls, encryption, logging, monitoring, and managed system access help protect systems handling regulated data. |
| Workforce controls | Access is assigned according to job role and business need, with defined onboarding, offboarding, and review procedures. |
| Incident response | Security events are evaluated through documented incident response processes, including investigation, containment, remediation, and communication procedures. |
| Vendor oversight | Third-party services are reviewed based on business need and security considerations before use in customer-facing environments. |
| Contractual support | Business Associate Agreement support may be made available where appropriate to the services and data processing scope. |
Infrastructure and data protection
Sobah Systems uses secure cloud infrastructure and operational controls to support service reliability and data protection.
Hosting and resilience
- Cloud-hosted infrastructure with physical and environmental protections managed by the hosting provider (Microsoft Azure)
- Service redundancy and backup strategies appropriate to the deployed environment
- Operational monitoring to support availability and response
Data handling
- Customer data access is restricted to authorized personnel with a legitimate business needs (least privilege access model)
- Secrets and credentials are stored using approved secure management practices
- Retention and deletion activities are managed through defined procedures and contractual obligations
Security operations
Ongoing security operations help detect issues, support investigations, and maintain accountability across systems and devices.
Endpoint security
Corporate endpoints are managed through device security controls such as configuration enforcement, updates, and protective software.
Remote access
Remote access to internal systems is controlled through approved secure access methods and identity-based protections.
Change control
Changes to systems and environments are reviewed through established processes intended to reduce operational and security risk.
Response readiness
Documented response procedures support identification, escalation, containment, remediation, and post-incident review.
What customers can request
Depending on the stage of engagement and applicable confidentiality requirements, Sobah Systems may make selected security documentation available for review.
Trust Center
Access our Trust Center to review security practices, certifications, and compliance documentation. Click here to proceed.
Contact the Sobah Systems security team
For customer security reviews, diligence requests, or questions related to privacy and regulated data handling, contact our security team.