Sweed maintains security and privacy policies, standards, and procedures to ensure compliance with relevant legal, contractual, and regulatory requirements.

Sweed interacts with data subjects throughout North America, and some regions have laws that grant specific rights to individuals. For more information about these rights and Sweed's commitment to protecting your privacy.

When our customers use our services, they might collect personal information from their own customers. We refer to this personal information as "Customer Data" in our agreements. Our role is to process this data according to the instructions of our customers. Consequently, our customers are responsible for the personal information they collect using Sweed's services and for complying with applicable privacy laws. If you wish to exercise a consumer rights request regarding personal information collected by a customer through Sweed's services, please contact the customer directly. We will assist in fulfilling the request as directed by the customer.

If you want to exercise any rights regarding personal information collected by Sweed (and not by our customers), you can do so by emailing [email protected]. Once a request is submitted, we might ask for additional information to verify your identity or provide further details to respond to your request. This may include your name, email, phone number, or other details related to your use of Sweed’s services. Your authorized agent can also submit requests in the same way, but we may require signed permission from you and independent verification of your identity.

For more details on our privacy practices and our dedication to protecting your privacy, please review our Privacy Policy.

The latest SOC 1 report from Sweed is available upon request and requires a signed Non-Disclosure Agreement.

The latest SOC 2 report from Sweed is available upon request and requires a signed Non-Disclosure Agreement.

At Sweed, we have a comprehensive security program that integrates security into every phase of our Software Development Life Cycle (SDLC). We are committed to providing secure applications to our customers. While no application is flawless, we follow widely accepted guidelines such as OWASP, NIST, and other frameworks to identify and mitigate security vulnerabilities. If you think you've discovered a security issue in our Sweed product line, please report it to [email protected].

Sweed ensures that its information assets are protected by implementing company-wide security requirements. All data created, processed, reviewed, reported, used, retained, retrieved, and destroyed is managed in accordance with Sweed's Data Classification and Ownership Policy and related Data Governance Standard.

Specific data protection standards are documented and implemented to comply with all relevant regulatory requirements.

All non-public information is encrypted at rest by default. Requests for exceptions are reviewed and approved by the Privacy and Security team. Additionally, Sweed uses column-level database encryption for all restricted data (e.g., PII, ePHI, etc.).

Sweed does not use any encryption that is not FIPS 140-2 compliant (U.S.A. only).

All data transmissions over external or untrusted networks are encrypted. All remote connections and non-console administrative sessions are secured with p encryption.

Sweed does not use any encryption that is not FIPS 140-2 compliant (U.S.A. only).

Sweed has a key management procedure in place to manage cryptographic keys throughout their entire lifecycle, including generation, storage, archiving, retrieval, distribution, retirement, and destruction. This procedure mandates the use of cryptographic algorithms, key lengths, and practices in line with best practices.

Before using Sweed's services or submitting any Personal Information to Sweed, please review our Privacy Policy and contact us with any questions at [email protected].

For customer data removal requests, please contact us via support. For additional privacy information, refer to Sweed's Privacy Policy or contact [email protected].

Sweed's data retention practices comply with its Data Classification and Ownership Policy as well as the Data Governance Standard, driven by regulatory requirements, executed Business Associate Agreements (BAAs), and other contractual obligations with customers and clients.

Sweed has developed and implemented an incident response program to detect and respond to threats and attacks. This program focuses on identifying, containing, investigating, and remediating security threats, including criteria for recording and reporting incidents responsibly. Sweed maintains a dedicated Security Operations team responsible for monitoring Sweed systems and executing incident response actions as defined in governing documents. These documents include an incident response plan, playbooks, and a documented incident reporting process to meet legal and ethical responsibilities. Vendors, service providers, and business associates are required to report any data compromise within twenty-four (24) hours of discovery.

Sweed is committed to safeguarding electronic Protected Health Information (ePHI) and preventing data breaches. The Breach Notification Response Plan provides oversight and guidance for responding to privacy and security breaches in compliance with federal and state laws.

Incident response and business continuity plans are tested annually with other business units to ensure that incident handling teams understand their responsibilities and that processes remain effective.

Sweed employs all necessary modern tools and methods to counteract Denial of service attacks.

All changes to our product undergo a mandatory multi-stage quality check. Only after positive results from this testing is the decision made to release the product for regular use.

Every element of our infrastructure is under constant monitoring by the appropriate teams. Sweed leadership conducts regular training sessions and performance evaluations for these teams.

Background verification checks are performed on all employment candidates per relevant laws, regulations, and ethics, considering the business requirements, information classification, and perceived risks.

Background verification includes relevant privacy laws, protection of personally identifiable information (PII), and employment-based legislation.

All new employees attend an approved security awareness training class within thirty (30) days of gaining access to any Sweed information resources. Contractors and relevant third parties receive security training appropriate for their roles.

Periodic security reminders, monthly updates, and annual training are conducted in line with regulatory and contractual requirements. The Data Protection Officer maintains records of security training attendance and employee acknowledgments.

All non-public information is encrypted at rest in accordance with Sweed's Encryption Policy, including data on company-issued workstations.

All applicant information is handled per relevant legislation. Candidates are informed about screening activities beforehand.

Sweed has developed and implemented a backup policy. According to this policy, we perform daily backups of all our data. Additionally, we regularly test these backups to ensure their completeness and accuracy during restoration.

From Multi-layer security Architecture to Zero Trust Architecture

Third-party penetration testing of in-scope systems (internal and internet-facing) is conducted annually. Sweed's pen test report is available for existing, new, and prospective customers upon request and signing of a Non-Disclosure Agreement.

Sweed has developed a vulnerability management program to track, evaluate, prioritize, and manage vulnerabilities identified through scanning until they are remediated or appropriately resolved. Sweed continuously scans its code, containers, software dependencies, and infrastructure for vulnerabilities, misconfigurations, and security weaknesses.