Data Protection Policy

This Data Protection Policy describes how Cevi Inc protects personal data and protected health information (PHI) processed through our platform. Cevi is committed to maintaining the highest standards of data protection in compliance with HIPAA, GDPR, CCPA, and other applicable regulations.

1. Data Classification

Cevi classifies data into four categories: Public (information intended for public disclosure), Internal (information for internal business use), Confidential (sensitive business information requiring protection), and Restricted (PHI, PII, and other data subject to regulatory requirements). Each classification level has specific handling, storage, and access requirements.

2. Data Encryption

All data is encrypted in transit using TLS 1.2 or higher. All data at rest is encrypted using AES-256. Encryption keys are managed through a dedicated key management service with automatic rotation. Database backups are encrypted using the same standards.

3. Access Controls

Cevi enforces role-based access control (RBAC) across all systems. Access to production systems requires multi-factor authentication. Access privileges are reviewed quarterly. The principle of least privilege is applied: employees receive only the minimum access needed for their role. Access is revoked immediately upon termination.

4. Data Retention and Deletion

Customer data is retained for the duration of the service agreement plus 30 days for export. After this period, data is permanently deleted from production systems within 90 days. Backup copies are purged within 180 days of deletion from production. Customers may request data deletion at any time, which we will fulfill within 30 days.

5. Incident Response

Cevi maintains a formal incident response plan that is tested at least annually. Security incidents are classified by severity and escalated accordingly. Customers are notified of incidents affecting their data within 72 hours. Post-incident reviews are conducted and findings are used to improve security controls.

6. Vendor Management

All third-party vendors that process data on Cevi's behalf undergo a security assessment before engagement. Vendors must sign data processing agreements. We maintain an up-to-date list of subprocessors. Vendor security is reviewed annually.

7. Employee Training

All Cevi employees complete security awareness training upon hire and annually thereafter. Employees with access to PHI complete additional HIPAA-specific training. Training completion is tracked and enforced.

8. Contact

For questions about our data protection practices, contact us at: Cevi Inc, 16192 Coastal Hwy, Lewes, DE 19958, United States. Email: security@cevi.ai