Security Policy Framework
This policy library defines the baseline controls Ouva applies to protect customer data and support reliable service delivery.
These policies are reviewed at least annually and after material platform or regulatory changes.
The policy set applies to:
- Ouva cloud services used to deliver the application and supporting APIs
- Managed kiosk and always-on display deployments operated with Ouva support
- Internal operational processes used to develop, release, and support the platform
- Personnel and contractors with approved access to production systems or customer data
Control Domains
Section titled “Control Domains”Use the documents below for control-specific requirements:
- Access Control Procedures
- Audit and Logging Policy
- Business Continuity
- Change and Patch Management
- Disaster Recovery
- Incident Response Plan
- Secure Software Development Lifecycle
- Vulnerability Management Policy
- Conclusion
Alignment
Section titled “Alignment”This framework is designed to align with common healthcare and enterprise security expectations, including:
- HIPAA security requirements where applicable
- SOC 2 Trust Services Criteria (Ouva’s primary infrastructure provider, Supabase, is SOC 2 Type 2 compliant)
- NIST-aligned risk management and control practices
For platform implementation details, see Security & Privacy Controls, Authentication & SSO, and Telemetry & Data Egress.