Offshore Resources Policy
- Introduction and Purpose
Cloudwick Technologies, Inc. (“Cloudwick”) is committed to providing high-quality services to its clients while maintaining the highest standards of security and privacy. As part of its service delivery, Cloudwick utilizes offshore employees and approved third-party vendor partners only when the engagement is explicitly authorized in writing by the client and when equivalent on-shore capacity is unavailable or cost-prohibitive. This document outlines our offshore policy and the measures we take to protect the privacy and security of our clients’ data, including Protected Health Information (PHI), in accordance with applicable laws and regulations including the Health Insurance Portability and Accountability Act (HIPAA). Cloudwick may change this Offshore Resources Policy from time to time by posting changes here. Your continued use of the Services following the posting of such changes will be deemed your acceptance of those changes, unless additional consent is required.
This policy establishes:
- The circumstances under which offshore resources may be used
- Security and compliance requirements for offshore operations
- Access control methodologies and limitations
- Risk management and continuous monitoring procedures
- Breach notification and incident response procedures
- Definitions
- Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or business associate.
- Electronic Protected Health Information (ePHI): PHI that is created, received, maintained, or transmitted in electronic form.
- Offshore Resources: Employees, contractors, or third‑party vendors located outside the United States who require access to client systems or data, including PHI, under a written Statement of Work (SOW) or Master Services Agreement (MSA).
- Transient Access: Time‑bound, read‑only access to client data for a defined task where data is never permanently stored offshore.
- Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.
- Virtual Desktop Infrastructure (VDI): Centrally hosted, HIPAA‑eligible desktop environments that provide secure, virtualized access to client systems and data.
- Security Framework and Certifications
Cloudwick maintains and annually renews attestations aligned with SOC 2 Type II, HIPAA, and NIST 800‑53. Independent auditors verify compliance at least once every twelve months, and certificates are supplied to clients upon request.
- Data Storage and Hosting Practices
4.1. Data Storage Location
- Cloudwick does not store or host electronic health records or PHI outside of the United States.
- All client data is hosted exclusively in U.S.‑based AWS regions unless the client formally requests another region in writing.
- AWS cloud services utilized by Cloudwick operate in facilities within the United States that are owned/controlled by Amazon Web Services.
4.2. Transient Access
Transient access to client data occurs only when the following conditions are all met:
- The access is necessary to fulfil a contractual obligation documented in the SOW/MSA.
- The specific task cannot be completed without the access.
- The access is provided via VDI or an encrypted VPN session as defined in Section 8.
- The access window is limited to the minimum time required, not to exceed 8 consecutive hours.
4.3. Temporary Data Storage
- In exceptional circumstances where temporary storage is required for troubleshooting, the storage and disposal of such data adheres to Cloudwick's security policies.
- All temporarily stored data is promptly destroyed upon completion of the task necessitating such storage, typically within 24 hours.
- Encryption is employed for all data temporarily stored offshore, following industry standards and best practices.
- Use of Virtual Desktop Infrastructure (VDI)
Cloudwick utilizes Virtual Desktop Infrastructure (VDI) as a preferred method for providing offshore resources with secure access to client environments when necessary.
5.1. VDI Configuration
- All virtual desktops provisioned for offshore personnel are configured according to HIPAA-compliant templates.
- VDI environments are deployed within Cloudwick's HIPAA-eligible cloud accounts, covered by appropriate Business Associate Agreements (BAAs).
- PHI is only processed, stored, or transmitted using HIPAA-eligible services.
5.2. Data Containment
Virtual desktops are configured to prevent data exfiltration by disabling:
- Copy and paste between the local device and the virtual desktop.
- File transfers between the local device and the virtual desktop.
- Printing to local printers.
- Use of external storage devices.
5.3. VDI Security Controls
- Full disk encryption is enabled on all virtual desktop instances.
- Multi-factor authentication (MFA) is required for all VDI access.
- Sessions automatically disconnect after 15 minutes of inactivity.
- Each session is recorded and logged for security and compliance purposes.
- Regular security scans are performed on all virtual desktop instances.
5.4. Network Security
- All VDI traffic is encrypted in transit.
- IP-based restrictions limit VDI access to approved network locations.
- Network security controls restrict traffic to only necessary ports and services.
- Offshore Employee Requirements
6.1. Training and Awareness
- All Cloudwick employees, including offshore employees, receive comprehensive training on:
(a) HIPAA requirements and privacy regulations
(b) Cloudwick's security policies and procedures
(c) Secure handling of PHI and sensitive information
(d) Incident reporting procedures - Training is conducted upon hire and at least annually thereafter.
- Completion of training is documented and tracked.
6.2. Background Checks
- All offshore employees undergo comprehensive background checks in accordance with local laws.
- Employment is contingent upon successful completion of these checks.
- Background checks are periodically refreshed for employees in sensitive roles.
6.3. Confidentiality Agreements
- All offshore employees sign comprehensive confidentiality and non-disclosure agreements.
- These agreements explicitly cover protection of client data, including PHI.
- Agreements include provisions for continued confidentiality after employment termination.
- All Cloudwick employees, including offshore employees, receive comprehensive training on:
- Third-Party Vendor Management
7.1. Vendor Selection and Due Diligence
- Third-party vendors are selected based on rigorous security and compliance criteria.
- Security assessments of vendors include evaluation of:
(a) Security policies and procedures
(b) Compliance with relevant standards
(c) History of security incidents
(d) Business continuity and disaster recovery capabilities
7.2. Contractual Requirements
- All third-party vendors with access to PHI operate under a Business Associate Agreement (BAA).
- Contracts explicitly prohibit offshore storage of client data, including PHI.
- Vendors are contractually obligated to comply with Cloudwick's security and privacy policies.
- Contracts include provisions for security incident reporting and breach notification.
7.3. Vendor Monitoring and Management
- Cloudwick regularly reviews third-party vendor compliance through:
(a) Annual security assessments
(b) Review of vendor security reports and certifications
(c) Periodic audits of vendor access and activities - Cloudwick reserves the right to terminate relationships with vendors for security or compliance violations.
- Access Controls
8.1. Access Methodologies
- Access to client systems and data by offshore personnel occurs through:
(a) Virtual Desktop Infrastructure (VDI) solutions (primary method)
(b) Encrypted VPN channels (when VDI is not feasible) - All connections are established using bi-directional encrypting technologies.
- All access requires multi-factor authentication.
8.2. Principle of Least Privilege
- Offshore resources are granted access only to systems and data necessary for their specific job functions.
- Access rights are regularly reviewed and adjusted based on job role changes.
- Default access denial is implemented, with explicit approval required for any access grants.
8.3. Authentication Requirements
- All access requires strong password authentication combined with multi-factor authentication.
- Passwords must meet complexity requirements and are rotated regularly.
- Failed authentication attempts are monitored and trigger account lockouts.
- Authentication credentials are unique to each individual and never shared.
8.4. Session Management
- All sessions have defined timeouts for inactivity.
- Sessions are logged and monitored for unusual activity.
- Critical activities require session re-authentication.
- Access to client systems and data by offshore personnel occurs through:
- Breach Notification Procedures
9.1 Incident Detection and Reporting
- All offshore personnel are trained to recognize and report potential security incidents.
- Multiple reporting channels are available for incident notification.
- Automated monitoring systems are in place to detect potential security incidents.
9.2 Incident Response
- The Cloudwick security team responds to all reported incidents according to defined procedures.
- Incidents involving PHI or client data trigger an immediate escalation protocol.
- The incident response team includes representatives from security, legal, and executive management.
9.3 Client Notification
- Clients are notified of confirmed breaches involving their data in accordance with contractual obligations and regulatory requirements.
- Notification includes:
(a) Nature and extent of the breach
(b) Data potentially affected
(c) Steps taken to mitigate harm
(d) Measures implemented to prevent future incidents - Cloudwick cooperates fully with clients in breach investigations and mitigation efforts.