Avena Health | Trust Portal

Live monitoring by Delve

Avena Health Compliance Report

Avena Health is in compliance with security best practices, has implemented and is monitoring comprehensive controls, and maintains policies to outline its security procedures.

Ctrl+K

Compliance Certifications

We maintain the highest industry standards and regularly undergo rigorous third-party audits to ensure compliance.

Compliant

HIPAA

US regulation that safeguards medical data privacy and security. Essential for healthcare providers, insurers, and related tech.

Continuously monitored

Resource Library

Access our security documentation, policies, and compliance reports.

PDF

HIPAA Internal Privacy Policy

HIPAA Internal Privacy Policy document

Updated: November 2025

PDF

Personnel Security Policy

Personnel Security Policy document

Updated: November 2025

PDF

Information Security Policy

Information Security Policy document

Updated: November 2025

PDF

Access Control and Termination Policy

Access Control and Termination Policy document

Updated: November 2025

PDF

PHI De-identification Policy and Procedure

PHI De-identification Policy and Procedure document

Updated: November 2025

PDF

Risk and Governance Executive Committee Charter

Risk and Governance Executive Committee Charter document

Updated: November 2025

Security controls

Our comprehensive security program includes controls across multiple domains to protect your data.

Access Control & Authorization

LIVE

Access Control Procedures

Completed

Access Restricted to Modify Infrastructure

Completed

Access Review of Infrastructure

Completed

Compliance with Regulations & Standards

LIVE

Breach Notification Communication

Completed

ePhi Policy Accessibility Evidence

Completed

Information Security Policies and Procedures

Completed

Data Protection & Privacy

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Asset Disposal Procedure

Completed

IT & Operational Security

LIVE

Asset Disposal Procedure

Completed

Asset Register List

Completed

Asset Register Maintaining

Completed

Risk & Compliance Management

LIVE

Alerts and Remediation

Completed

Board Meeting Minutes

Completed

Chief Information Security Officer Appointment

Completed

Security & Incident Management

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Antivirus and Malware Configurations

Completed

Access Control & Authorization

LIVE

Access Control Procedures

Completed

Access Restricted to Modify Infrastructure

Completed

Access Review of Infrastructure

Completed

Alerts and Remediation

Completed

Compliance with Regulations & Standards

LIVE

Breach Notification Communication

Completed

ePhi Policy Accessibility Evidence

Completed

Information Security Policies and Procedures

Completed

Data Protection & Privacy

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Asset Disposal Procedure

Completed

Asset Register List

Completed

IT & Operational Security

LIVE

Asset Disposal Procedure

Completed

Asset Register List

Completed

Asset Register Maintaining

Completed

Breach Notification Communication

Completed

Risk & Compliance Management

LIVE

Alerts and Remediation

Completed

Board Meeting Minutes

Completed

Chief Information Security Officer Appointment

Completed

Cybersecurity Insurance

Completed

Security & Incident Management

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Antivirus and Malware Configurations

Completed

Breach Notification Communication

Completed

Access Control & Authorization

LIVE

Access Control Procedures

Completed

Access Restricted to Modify Infrastructure

Completed

Access Review of Infrastructure

Completed

Alerts and Remediation

Completed

Compliance with Regulations & Standards

LIVE

Breach Notification Communication

Completed

ePhi Policy Accessibility Evidence

Completed

Information Security Policies and Procedures

Completed

Data Protection & Privacy

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Asset Disposal Procedure

Completed

Asset Register List

Completed

IT & Operational Security

LIVE

Asset Disposal Procedure

Completed

Asset Register List

Completed

Asset Register Maintaining

Completed

Breach Notification Communication

Completed

Risk & Compliance Management

LIVE

Alerts and Remediation

Completed

Board Meeting Minutes

Completed

Chief Information Security Officer Appointment

Completed

Cybersecurity Insurance

Completed

Security & Incident Management

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Antivirus and Malware Configurations

Completed

Breach Notification Communication

Completed

Subprocessors directory

We carefully select and monitor all third-party services that process data on our behalf.

MongoDB

Data Stores & Warehouses

Slack

Business Apps & Productivity

Google Cloud Platform

Cloud Infrastructure & Platform Services

Google Workspace

Business Apps & Productivity

PostHog

Business Apps & Productivity

Frequently Asked Questions

Find answers to common questions about our security and compliance practices.

Our Security Commitment

At Avena Health, security isn't just a feature—it's foundational to everything we build. Our security-first mindset drives our development processes, infrastructure decisions, and organizational policies. We treat the data entrusted to us—whether from our customers, their end users, or anyone who interacts with our organization—with the utmost care and responsibility. Security is embedded in our DNA, enabling us to deliver innovative solutions without compromising on protection.

Monitored by

Live monitoring by Delve

Avena Health Compliance Report

Avena Health is in compliance with security best practices, has implemented and is monitoring comprehensive controls, and maintains policies to outline its security procedures.

Ctrl+K

Compliance Certifications

We maintain the highest industry standards and regularly undergo rigorous third-party audits to ensure compliance.

Compliant

HIPAA

US regulation that safeguards medical data privacy and security. Essential for healthcare providers, insurers, and related tech.

Continuously monitored

Resource Library

Access our security documentation, policies, and compliance reports.

PDF

HIPAA Internal Privacy Policy

HIPAA Internal Privacy Policy document

Updated: November 2025

PDF

Personnel Security Policy

Personnel Security Policy document

Updated: November 2025

PDF

Information Security Policy

Information Security Policy document

Updated: November 2025

PDF

Access Control and Termination Policy

Access Control and Termination Policy document

Updated: November 2025

PDF

PHI De-identification Policy and Procedure

PHI De-identification Policy and Procedure document

Updated: November 2025

PDF

Risk and Governance Executive Committee Charter

Risk and Governance Executive Committee Charter document

Updated: November 2025

Security controls

Our comprehensive security program includes controls across multiple domains to protect your data.

Access Control & Authorization

LIVE

Access Control Procedures

Completed

Access Restricted to Modify Infrastructure

Completed

Access Review of Infrastructure

Completed

Compliance with Regulations & Standards

LIVE

Breach Notification Communication

Completed

ePhi Policy Accessibility Evidence

Completed

Information Security Policies and Procedures

Completed

Data Protection & Privacy

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Asset Disposal Procedure

Completed

IT & Operational Security

LIVE

Asset Disposal Procedure

Completed

Asset Register List

Completed

Asset Register Maintaining

Completed

Risk & Compliance Management

LIVE

Alerts and Remediation

Completed

Board Meeting Minutes

Completed

Chief Information Security Officer Appointment

Completed

Security & Incident Management

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Antivirus and Malware Configurations

Completed

Access Control & Authorization

LIVE

Access Control Procedures

Completed

Access Restricted to Modify Infrastructure

Completed

Access Review of Infrastructure

Completed

Alerts and Remediation

Completed

Compliance with Regulations & Standards

LIVE

Breach Notification Communication

Completed

ePhi Policy Accessibility Evidence

Completed

Information Security Policies and Procedures

Completed

Data Protection & Privacy

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Asset Disposal Procedure

Completed

Asset Register List

Completed

IT & Operational Security

LIVE

Asset Disposal Procedure

Completed

Asset Register List

Completed

Asset Register Maintaining

Completed

Breach Notification Communication

Completed

Risk & Compliance Management

LIVE

Alerts and Remediation

Completed

Board Meeting Minutes

Completed

Chief Information Security Officer Appointment

Completed

Cybersecurity Insurance

Completed

Security & Incident Management

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Antivirus and Malware Configurations

Completed

Breach Notification Communication

Completed

Access Control & Authorization

LIVE

Access Control Procedures

Completed

Access Restricted to Modify Infrastructure

Completed

Access Review of Infrastructure

Completed

Alerts and Remediation

Completed

Compliance with Regulations & Standards

LIVE

Breach Notification Communication

Completed

ePhi Policy Accessibility Evidence

Completed

Information Security Policies and Procedures

Completed

Data Protection & Privacy

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Asset Disposal Procedure

Completed

Asset Register List

Completed

IT & Operational Security

LIVE

Asset Disposal Procedure

Completed

Asset Register List

Completed

Asset Register Maintaining

Completed

Breach Notification Communication

Completed

Risk & Compliance Management

LIVE

Alerts and Remediation

Completed

Board Meeting Minutes

Completed

Chief Information Security Officer Appointment

Completed

Cybersecurity Insurance

Completed

Security & Incident Management

LIVE

Access Restricted to Modify Infrastructure

Completed

Alerts and Remediation

Completed

Antivirus and Malware Configurations

Completed

Breach Notification Communication

Completed

Subprocessors directory

We carefully select and monitor all third-party services that process data on our behalf.

MongoDB

Data Stores & Warehouses

Slack

Business Apps & Productivity

Google Cloud Platform

Cloud Infrastructure & Platform Services

Google Workspace

Business Apps & Productivity

PostHog

Business Apps & Productivity

Frequently Asked Questions

Find answers to common questions about our security and compliance practices.

Our Security Commitment

Monitored by

Compliance Certifications

HIPAA

Resource Library

HIPAA Internal Privacy Policy

Personnel Security Policy

Information Security Policy

Access Control and Termination Policy

PHI De-identification Policy and Procedure

Risk and Governance Executive Committee Charter

Security controls

Access Control & Authorization

Compliance with Regulations & Standards

Data Protection & Privacy

IT & Operational Security

Risk & Compliance Management

Security & Incident Management

Access Control & Authorization

Compliance with Regulations & Standards

Data Protection & Privacy

IT & Operational Security

Risk & Compliance Management

Security & Incident Management

Access Control & Authorization

Compliance with Regulations & Standards

Data Protection & Privacy

IT & Operational Security

Risk & Compliance Management

Security & Incident Management

Subprocessors directory

MongoDB

Slack

Google Cloud Platform

Google Workspace

PostHog

Frequently Asked Questions

How are emergency changes handled?

How do you monitor vendor performance and compliance?

What is your approach to security patching?

How do we manage risks associated with third-party vendors?

What safeguards exist for source code changes?

What background verification is performed for new personnel?

Our Security Commitment

Compliance Certifications

HIPAA

Resource Library

HIPAA Internal Privacy Policy

Personnel Security Policy

Information Security Policy

Access Control and Termination Policy

PHI De-identification Policy and Procedure

Risk and Governance Executive Committee Charter

Security controls

Access Control & Authorization

Compliance with Regulations & Standards

Data Protection & Privacy

IT & Operational Security

Risk & Compliance Management

Security & Incident Management

Access Control & Authorization

Compliance with Regulations & Standards

Data Protection & Privacy

IT & Operational Security

Risk & Compliance Management

Security & Incident Management

Access Control & Authorization

Compliance with Regulations & Standards

Data Protection & Privacy

IT & Operational Security

Risk & Compliance Management

Security & Incident Management

Subprocessors directory

MongoDB

Slack

Google Cloud Platform

Google Workspace

PostHog

Frequently Asked Questions

How are emergency changes handled?

How do you monitor vendor performance and compliance?

What is your approach to security patching?