Skip to content

Security Policy Framework

This policy library defines the baseline controls Ouva applies to protect customer data and support reliable service delivery.

These policies are reviewed at least annually and after material platform or regulatory changes.

The policy set applies to:

  • Ouva cloud services used to deliver the application and supporting APIs
  • Managed kiosk and always-on display deployments operated with Ouva support
  • Internal operational processes used to develop, release, and support the platform
  • Personnel and contractors with approved access to production systems or customer data

Use the documents below for control-specific requirements:

  1. Access Control Procedures
  2. Audit and Logging Policy
  3. Business Continuity
  4. Change and Patch Management
  5. Disaster Recovery
  6. Incident Response Plan
  7. Secure Software Development Lifecycle
  8. Vulnerability Management Policy
  9. Conclusion

This framework is designed to align with common healthcare and enterprise security expectations, including:

  • HIPAA security requirements where applicable
  • SOC 2 Trust Services Criteria (Ouva’s primary infrastructure provider, Supabase, is SOC 2 Type 2 compliant)
  • NIST-aligned risk management and control practices

For platform implementation details, see Security & Privacy Controls, Authentication & SSO, and Telemetry & Data Egress.