Information Security Policy for Ionic Health

Introduction

Ionic Health is committed to safeguarding the security, confidentiality, and integrity of all information it handles. This policy outlines our approach to information security, establishing standards to protect data, secure system access, and ensure compliance with industry best practices based on the National Institute of Standards and Technology (NIST) framework. Through this policy, Ionic Health aims to create a secure environment that builds trust and supports reliable operations across the organization.

1. Scope

This Information Security Policy applies to all Ionic Health personnel, contractors, partners, and authorized individuals who access, use, or manage any company resources, data, or systems. It encompasses data handling, system access, security measures, and incident response protocols to protect against unauthorized access and data breaches.

2. Information Security Principles

Our information security approach aligns with the following NIST framework principles:

Identify Risks: Regularly assess security risks associated with our data, assets, and systems to understand potential vulnerabilities.
Protect Information: Establish preventive measures to safeguard data and restrict access to authorized personnel only.
Detect Threats: Implement monitoring tools and practices to identify suspicious activity or security events promptly.
Respond Effectively: Have a structured approach to respond to security incidents to minimize impact.
Recover Operations: Ensure continuity through reliable recovery and restoration plans in the event of an incident.

3. Data Protection and Confidentiality

Ionic Health collects and processes only the data necessary to support its operations and deliver services. All personal, proprietary, and sensitive information is treated as confidential and protected against unauthorized access or disclosure.

Data Minimization: We limit data collection to what is essential for operational and regulatory purposes.
Confidentiality Assurance: Data is classified according to its sensitivity, and access is limited to individuals with a legitimate need to know.

4. Access Control and Authorization

Access to Ionic Health’s systems and data is granted only to authorized individuals based on role-specific requirements. Access rights are managed carefully and reviewed periodically to maintain secure and responsible data handling across all levels of the organization.

5. Security Awareness and Training

Ionic Health provides regular security awareness training to ensure that all personnel understand their roles in protecting information and adhering to security practices. This training covers essential topics such as recognizing threats, secure data handling, and reporting potential security issues.

6. Compliance and Legal Requirements

We ensure that all Ionic Health systems and practices align with applicable laws, regulatory standards, and industry best practices. Our commitment to compliance is supported by regular audits, assessments, and policy reviews to maintain high security and legal standards.

7. Incident Management and Response

Ionic Health has an established incident response plan to handle security incidents in a structured and timely manner. This includes steps for containment, investigation, and notification to mitigate any potential impact on data and operations.

8. Policy Review and Continuous Improvement

This policy is periodically reviewed to incorporate updates in regulatory standards, emerging threats, and industry best practices. Ionic Health is committed to continuously improving its information security posture to address evolving security needs and provide the highest level of protection for its data and systems.

Contact us

For any questions about this Information Security Policy or to report a security concern, please reach out to: security@ionic.health

Information Security Policy

Introduction

IONIC Health is committed to safeguarding the confidentiality, integrity, availability, and privacy of all data we manage — including personal, sensitive, and health-related information. This policy is guided by internationally recognized best practices defined in the ISO/IEC 27001:2022, ISO/IEC 27002:2022, and ISO/IEC 27701:2019 standards, as well as applicable data protection laws such as the LGPD (Lei Geral de Proteção de Dados), GDPR (General Data Protection Regulation), and other relevant local regulations.

Through this policy, we aim to foster a culture of trust, compliance, and transparency.

1. Scope

This policy applies to all individuals and entities interacting with IONIC Health systems or data, including employees, partners, service providers, and users of our digital platforms. It covers the management of both information security and privacy throughout the data lifecycle—from collection and access to storage and disposal.

2. Key Principles

We adopt the following principles to guide our information security and privacy program:

Risk-Based Approach: We continuously assess security and privacy risks to identify vulnerabilities and implement appropriate controls.
Data Protection by Design and by Default: Security and privacy are embedded in all our processes and technologies from the outset.
Minimization and Purpose Limitation: We collect only the data strictly necessary for the intended and lawful purposes.
Accountability and Transparency: We ensure data subjects are informed of how their data is handled and enable them to exercise their rights.
Incident Management: We maintain robust mechanisms for detecting, responding to, and learning from information security and privacy incidents.

3. Information Security Controls

To uphold our commitments, we implement preventive, detective, and corrective controls, including:

Access control and authentication based on least privilege;
Data encryption at rest and in transit;
Continuous monitoring of systems and infrastructure;
Secure software development and system maintenance;
Backup and recovery procedures;
Physical security for data centers and offices.

4. Privacy Commitments

IONIC Health ensures that personal data is processed lawfully, fairly, and transparently. We are committed to:

Informing individuals about data usage, legal basis, and data sharing;
Obtaining and managing consent where required;
Providing mechanisms for data access, correction, and deletion;
Ensuring third-party processors follow equivalent privacy and security practices;
Defining data retention periods and secure disposal methods.

5. Awareness and Training

All team members receive regular training on data protection, privacy rights, and secure handling of information. We promote awareness campaigns and incorporate security into the onboarding of employees and suppliers.

6. Compliance and Audits

We conduct regular audits and reviews of our policies, procedures, and controls to ensure alignment with ISO standards and data protection regulations. Compliance is continuously monitored, and corrective actions are implemented when necessary.

7. Policy Review and Continuous Improvement

This policy is reviewed periodically and updated as necessary to reflect technological changes, regulatory developments, and organizational goals. At minimum, it is reviewed annually or in the event of significant changes in applicable legislation or technology.

8. Third-Party Responsibilities

All third parties, including contractors, suppliers, and service providers, who access or process information on behalf of IONIC Health are required to:

Comply with this Information Security and Privacy Policy and any applicable security contractual clauses;
Demonstrate adherence to equivalent or higher information security and privacy controls;
Notify IONIC Health of any incidents, breaches, or vulnerabilities affecting shared data or systems;
Allow security and privacy assessments or audits when relevant;
Ensure that any subcontracted parties follow the same level of security and privacy standards;
Sign appropriate confidentiality and data processing agreements when applicable.

Failure to comply with these responsibilities may result in contractual termination and other appropriate actions as determined by IONIC Health.

9. Responsibility and Approval

This policy is approved by the executive leadership of Ionic Health and maintained by the Information Security and Privacy Office. It is reviewed periodically — at least once a year — or whenever significant legal, organizational, or technological changes occur.

Contact Us

For questions or to report a security or privacy concern, contact us at: cybersec@ionic.health