Trust Our Work

Onpoint’s Information Security Program protects our clients’ data at every stage of the processing and storage pipeline. Backed by decades of secure operations for state and federal agencies, our certified framework is aligned with leading industry standards and strengthened through continuous testing and expert oversight.

Our Commitments to Data Protection

Onpoint’s security protocols are founded on four core commitments to keep data safe, secure, reliable, and responsibly used.

1. Secure Infrastructure & Solutions

We build industry-leading solutions that are carefully layered, continuously monitored, and architected to meet the highest security standards.

• Hosted in FedRAMP-compliant, SOC 2-certified cloud environments
• End-to-end encryption for data in motion and at rest 
• Advanced threat detection with 24/7 monitoring
• Security-first practices reinforced through ongoing training for all staff

2. Privacy Protections & Protocols

We minimize access, protect every identifier, and ensure that privacy is preserved throughout the entire data lifecycle.

• Role-based controls that limit access using “minimum-necessary” standards
• Multi-factor authentication for reinforced access control and identity verification
• PHI/PII protection measures, including field-level masking and data segmentation
• Comprehensive audit logging for continuous monitoring, tracking, and accountability

3. System Stability & Resilience

We engineer our systems for stability, resilience, and uninterrupted availability, even in the face of unexpected events.

• Daily encrypted back-ups with versioned data storage
• Disaster-recovery plans and procedures for rapid restoration
• Redundant cloud architecture for high availability and scalability
• Proactive monitoring to detect issues before they can impact users

4. Data Care & Stewardship

We perform our work with an unmatched commitment to the care and custodianship of our clients’ data, putting responsible data handling at the heart of everything we do.

• Strict data segregation so each client’s information remains fully isolated
• No local or on-premises storage of sensitive information
• 24/7 monitoring of role-based data access and permission controls
• Formal governance processes with regular policy reviews and risk assessments

Onpoint maintains a robust security posture, with systems that are rigorously tested and regularly certified in accordance with HITRUST, HIPAA, and other leading healthcare security and privacy standards. The certifications and frameworks that guide our proven compliance program include:

Onpoint is committed to the responsible, transparent, and ethical incorporation of artificial intelligence (AI) across our platforms and services when appropriate. We leverage AI to enhance, not replace, the judgment of the human analysts, researchers, and policymakers who depend on our data, solutions, and services.

Our AI principles ensure that:

• Data privacy comes first. AI tools used by our teams operate only within secured Onpoint environments that never expose any protected health information or personally identifiable information.
• Transparency precedes use. Any AI-assisted process is designed, tested, reviewed, documented, and explainable both internally and externally.
• Perimeters are enforced. No external AI tool has access to Onpoint’s systems or data; all models operate within our secure, client-specific environments with no access to the internet.
• Human oversight is required. Onpoint staff validate all AI-generated code, insights, and recommendations using a multi-step process prior to incorporation into any service or solution.

Our AI practices are used to:

• Enhance anomaly detection and quality validation using machine learning
• Automate and accelerate data profiling through cloud-based machine-learning tools 
• Support AI-driven workflows for users within our secure analytics platform
• Enhance and streamline UI/UX design and software development processes
• Power AI-chat assistants and public-facing reporting interfaces that help users explore approved, de-identified transparency solutions

Additionally, all AI usage rigorously complies with Onpoint’s Information Security Program as well as applicable client-specific agreements and state and federal requirements.