JLK logo JLK logo

LEADING THE AI INDUSTRY
WITH DATA & TECHNOLOGY

Security & Compliance Overview

JLK, Inc. places the highest priority on the security of customer data and the protection of personal information. As an organization handling sensitive medical data, we maintain a systematic and transparent security management program aligned with SOC 2 and HIPAA standards.

Core Principles (SOC 2 Trust Services Criteria)

We perform audits and verifications based on three key pillars:

  • Security: Technical and administrative safeguards to prevent unauthorized access and data leakage.
  • Availability: Redundancy and disaster recovery measures to ensure continuous, uninterrupted service.
  • Confidentiality: Strict access control policies ensuring only authorized personnel access sensitive information.

Note: JLK, Inc. strictly complies with HIPAA requirements for Protected Health Information (PHI), applying encryption, access controls, and audit logging at every stage of data transmission and storage.

Infrastructure Security & Reliability

JLK's service infrastructure is built on Amazon Web Services (AWS), operating within a globally proven, secure cloud environment.

1. VPC Isolation (Virtual Network Segmentation)

  • All service components are isolated within AWS VPCs.
  • Traffic between internal and external networks is strictly separated to block unauthorized access and control data flow.

2. Firewall & Security Group Rules

  • Principle of Least Privilege: Security groups for application, database, and management networks permit only minimum required traffic.
  • Defense Measures: AWS Network ACLs and security group rules are utilized to prevent unauthorized access, port scanning, and DDoS attempts.

3. High Availability & Redundancy

  • Multi-AZ Deployment: Core services operate across multiple Availability Zones (AZs) with automatic failover.
  • Disaster Recovery: Regular backups and recovery tests are performed to minimize data loss risk.

Data Security & Privacy

JLK manages all data, including medical information, in compliance with HIPAA and SOC 2 security controls.

Data Encryption

State Method
In-Transit Network traffic is protected using TLS 1.2+. Data traversing public networks is always encrypted.
At-Rest Data is encrypted to AES-256 standards using AWS Key Management Service (KMS). Keys are managed separately.

Access Control & Authentication

  • RBAC: System access is restricted by Role-Based Access Control following the principle of least privilege.
  • MFA: Multi-Factor Authentication is mandatory for all internal user and administrator accounts.
  • Audit Logging: Access events and authentication attempts are stored in a centralized system for real-time monitoring.

Privacy & PHI Protection

  • HIPAA Compliance: All personal data and PHI are processed strictly per HIPAA Privacy and Security Rules.
  • Audit Trails: Actions such as access, viewing, modification, and downloading are logged; anomalous activities trigger automated alerts.
  • Data Residency: Data is stored in AWS regions within the United States, with protective measures for cross-border access.

Development Security & Testing

JLK proactively manages vulnerabilities through a rigorous testing framework.

  • Pre-Release: All code is tested for security vulnerabilities prior to deployment.
  • Routine Scans:
    • Application vulnerability assessments.
    • Network vulnerability assessments.
    • Security control framework reviews.
  • Penetration Testing: External penetration testing is conducted annually.

Policies & Procedures

We maintain a comprehensive suite of security policies, reviewed and updated annually. Mandatory security training is required for all employees.

Key Policies Include:

  • Asset Management
  • Data Protection & Retention
  • Information Security
  • Incident Response
  • Risk Assessment
  • System Access Control
  • Vendor & Vulnerability Management

Vulnerability Disclosure & Reporting

We value the security research community. Vulnerabilities affecting aiscan.medihub.ai, the AISCAN app, snappy-us.medihub.ai, the FASTRO app or other assets can be reported responsibly.

  • How to Report: Via our Google Form.
  • Requirements: Please include a detailed description and reproducible steps (or a working PoC).
  • Process: Report → Verification → CSO Review → Risk Assessment → Response.

Appendix & Reference Links

  • Policy Documents: Privacy Policy, Information Security Policy, Terms of Service.
  • Compliance: HIPAA Business Associate Agreement, AWS Compliance Center, JLK Trust Center.
  • Latest Status: November 2025 — Ongoing SOC 2 Type II audit.