Security
Last updated on June 30, 2025
HIPAA Compliant
SOC 2 Under Audit & Ready
Security as a company value
Sonic AI's security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world. Clinician and patient trust is of the highest priority at Sonic AI. We hold ourselves accountable to a HIPAA-compliant data storage and processing protocol for all data captured and shared through our platform.
Secure Personnel
Sonic AI takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.
- All Sonic AI contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
- Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
- We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
Secure Development
- All development projects at Sonic AI, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
- All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
- All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
- Software development is conducted in line with OWASP Top 10 recommendations for web application security.
Secure Testing
Sonic AI deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.
- All new systems and services are scanned prior to being deployed to production.
- We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products. This ensures a comprehensive and real-world view of our products & environment from multiple perspectives.
- We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.
Cloud Security
Hosted Sonic AI provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.
Hosted Sonic AI leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.
- All customer cloud environments and data are isolated using Sonic AI's account based isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
- All data is encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is continuously monitored by dedicated, highly trained Sonic AI staff.
- We separate each customer's data and our own, utilizing accounts to ensure data is protected and isolated.
- Client's data protection complies with SOC 2 standards to encrypt data in transit and at rest. This ensures customer and company data and sensitive information is protected at all times.
- We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.
Guidelines
Web Application Security Scanning (NIST SP 500-269)
In alignment with the best practices defined in NIST SP 800-190, "Application Container Security Guide", we implement robust security measures throughout our cloud-native application lifecycle to ensure the protection of our services and data.
Sonic AI uses Google Cloud IDS (Cloud Intrusion Detection System) which detects malware, spyware, command-and-control attacks, and other network-based threats. Its security efficacy is industry-leading, built with Palo Alto Networks technologies.
Sonic AI implements strict IAM policies in Google Cloud to enforce the principle of least privilege, restricting access to the minimum required for each role. We also utilize Firestore Security Rules to control access to documents and collections in the database in an efficient and secure manner. These policies and rules are reviewed and updated regularly as part of our security maintenance process.
Additionally, we employ automated continuous security vulnerability scanning tools (dependabot) in our repositories to identify vulnerabilities early in the process. Regular third-party penetration testing further validates the security of our systems.
Furthermore, Sonic AI employs advanced web security scanning using OWASP ZAP, one of the industry's leading tools for identifying and remediating security issues in web applications. This robust integration leverages OWASP ZAP's comprehensive capabilities, including automated and passive scanning, spidering, fuzzing, and intercepting proxy features.
By utilizing ZAP, Sonic AI ensures thorough vulnerability detection and proactive mitigation, safeguarding web applications against potential threats. This commitment to top-tier security practices highlights Sonic AI's dedication to maintaining the highest standards of web application security.
Application Security
| Encryption | Data is encrypted in transit with TLS 1.2. Data is encrypted at rest with AES. |
| Continuous Monitoring | Independent third-party penetration, threat, and vulnerability testing. |
| Data Handling | Sonic AI is in full compliance with HIPAA and has support for data deletion. |
| SSO | User access controls with single sign on. |
| Secure Hosting | Sonic AI's cloud environments are backed by Google's security measures. |
| RBAC | Role based account access workflows. |
Continuous Security Commitment
| Penetration Testing | We perform an independent third-party penetration test at least annually to ensure that the security posture of our services is uncompromised. |
| Security Awareness Training | Our team members are required to go through employee security awareness training. This covers industry standard practices and information security topics such as phishing and password management. |
| Third-Party Audits | Our organization undergoes independent third-party assessments to test our security controls. |
| Roles and Responsibilities | Roles and responsibilities related to our information security program and the protection of our customer's data are well defined and documented. |
| Information Security Program | We have an information security program in place that is communicated throughout the organization. Our program follows the criteria set forth by SOC 2. |
| Continuous Monitoring | We continuously monitor our security and compliance status to ensure there are no lapses. |
Compliance
Sonic AI is committed to providing secure products and services to safely and easily manage digital identities across the country.
Our external certifications provide independent assurance of Sonic AI's dedication to protecting our customers. We regularly assess and validate the protections and effective security practices Sonic AI has in place.
SOC 2 Type 2
Sonic AI LLC is currently undergoing SOC 2 Type 2 audits.
Questions About Our Security?
We're here to help. Contact our security team for any questions about our practices.