Security Overview

At Centaur Labs, security and compliance are incredibly important to us and at the heart of our product design process. We follow a full complement of security, data protection and business continuity policies and are compliant with many of the best practices of relevant health information standards. A summary of our practices are as follows:

Information Security Program

Centaur Labs has successfully completed a SOC 2 Type 2 audit. The SOC 2 provides assurance to our customers that the security controls we have in place are effective and meet the standards set forth by the American Institute of Certified Public Accountants (AICPA). Our SOC 2 report is available to customers and prospects upon request.

Annual risk assessments are performed to identify potential risks to our security posture so that we can ensure that we are investing in the best areas of improvement to our programs.

Centaur Labs has developed security policies covering a wide range of tasks. The policies are updated frequently and shared with all employees who must read and agree to them on at least an annual basis.

All Centaur Labs employees must undergo security and privacy training upon hire and at least annually thereafter.
All employees are required to sign a confidentiality agreement.

Infrastructure

We host the Centaur Labs infrastructure on the secure Amazon Web Services (AWS) cloud using the AWS best-of-breed management and security tooling.

Encryption in transit and at rest

All of your data is encrypted in transit using HTTPS (TLS 1.2 or 1.3) which protects your data while it is being transferred over the internet.

All persistent data is stored on highly-available AWS S3 or Elastic Block Store which have AES-256 encryption built in.

Our encryption keys are all encrypted using keys managed through AWS Key Management Service (KMS).

Customers can opt to keep data in their own cloud storage. In this scenario, Centaur Labs annotators receive temporary read access to specific files through signed URLs.

Mobile Application Security

We use SSL pinning to prevent annotators who use our iOS application from proxying requests, so they cannot download customer files or metadata.

Screenshots, screen recordings, and AirPlay casting during use of our iOS application are tracked and users are automatically banned for violating our screen capture rules.

Customer datasets can be restricted to annotators who have signed a Business Associate Agreement (BAA).

Endpoint Security

All employee computers are centrally managed so we can enforce our security policies like administrative access, screen lockout, strong passwords, disk encryption and malware protection.

Identity and Access Management

We use Google Workspace to verify employee account identity and require two-factor authentication for apps that access critical infrastructure or customer data.
Passwords are securely hashed and salted using industry standard encryption libraries.

Code Quality

All changes to source code undergo pre-merge review by at least one other qualified engineer. The code review covers areas such as performance, security, and code quality.

Code is first deployed to a testing environment to ensure that it is functional and passes testing before being deployed to production.

Our code uses multiple techniques to protect against common application vulnerabilities such as the OWASP Top 10.
We have third-party penetration tests performed at least annually to ensure that we identify and fix any issues with code or infrastructure security that hackers could potentially exploit.

Monitoring

We monitor our infrastructure for security, performance, and availability to ensure that your data is always safe and our service is available.

Incident Management

We maintain an incident response process to ensure that we have a standardized approach to handling any issues which may come up that would impact our security or availability. As part of the process, we always do a post-mortem analysis and follow up with any lessons learned so that we can improve our processes and product.

Contact us

If you have a security concern, question, or are aware of an incident, please send an email to [email protected], a carefully controlled and monitored email account.