Security and compliance built for healthcare from day one.

As a SaaS vendor selling to an enterprise customer, what type of data do you need access to?

• Restricted (i.e. highly confidential information such as PII, personal identifiable information)

What is your recovery time objective in case of critical failure?

• 24 hours

What is your recovery point objective in case of critical failure?

• 24 hours

Are you also using other third-party services to manage or support your customers?

• Yes

Are you hosted only on one of the major cloud providers or do you have any on-premise systems?

• Major Cloud Provider

Delty maintains detailed audit logs across systems to capture user activity, access events, and configuration changes. Logs are retained securely and regularly reviewed to support compliance and security investigations.

Delty enforces role-based access control (RBAC) to ensure users only have access aligned with their responsibilities. Permissions are granted on a least-privilege basis and reviewed periodically.

Auditor: MJD Advisors
Reach out at founders@delty.ai to get access.

Auditor: MJD Advisors

Reach out at founders@delty.ai to get access.

Delty personnel access is comprehensively logged and access is recertified quarterly.

Database backups are performed daily.

Delty's standard data retention period for existing customers is the lesser of three (3) years and the period you are a customer. If a non-standard retention period is required due to regulatory or other mandatory business reasons, please contact us. If you cease being a Delty customer, your data will be irreversibly deleted in 15 days.

Customer data is encrypted at rest using AES256.

Customer data is encrypted in transit using TLS1.2.

Delty does not have traditional office spaces and instead leverage co-working spaces such as WeWork. We rely on railway.com to manage the physical and environmental security controls of their datacenter facilities in which Delty is hosted.

Delty values the information security community and encourages security researchers to participate in our responsible vulnerability disclosure program. To report a vulnerability, please contact us at founders@delty.ai. Every vulnerability report is triaged and assessed within 24 hours during business days.

All employees and contractors (with access to sensitive systems and data) are required to attend security awareness (including secure coding) training upon hire and annually thereafter. Additional security awareness notifications and updates from the Security and Compliance team are sent to employees and contractors as necessary.

Delty leverages static application security testing, dependency monitoring, as well as code reviews to remediate and prevent vulnerabilities in code. Additionally, every developer participates in secure coding training.

We use Large Language Models (LLMs) provided by our subprocessors Google Cloud, Anthropic and OpenAI to synthesize customer data (e.g., to understand codebases).

We maintain strict zero-data retention agreements with all of our subprocessors. This ensures that neither user nor customer data is stored beyond the point of inference. Once processing is complete, no data is retained on any subprocessor systems.

All our subprocessors are SOC 2 Type II compliant, and all customer data is hosted exclusively in the United States. Our subprocessors:

• Google Workspace – Email, document collaboration, and productivity tools
• Slack – Internal team communication
• Vercel – Hosting and deployment of frontend applications
• Railway.com – Backend infrastructure and deployment
• Supabase – Database, authentication, and storage services
• GitHub – Source code management and version control
• Postmark – Transactional email delivery
• Linear – Project management and issue tracking

https://commonpaper.com/standards/cloud-service-agreement/2.0

Delty will maintain security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data being Processed hereunder by Delty or any of Delty's Sub-Processors.

Delty has appointed Lalit Kundu as DPO, who may be contacted at lalit@delty.ai.

Delty personnel access to customer data is role based and provisioned based on the principle of least privilege. Approved Delty personnel with a need-to-know may access customer data in order to provide support and perform system maintenance.

Logs are centrally stored in Delty's SIEM solution and are stored for at least 12 months.

Delty-provisioned assets, such as laptops, have full disk encryption enabled.

The use of removable storage devices is technically restricted on Delty-provisioned assets and DLP rules are deployed to outgoing email via Delty's secure email gateway.

Logs are centrally stored in Delty's SIEM solution.

Contact founders@delty.ai to get access.

All Delty employees are required to complete the following trainings commencing employment and annually thereafter:

• Phishing Training
• Role-Based Training
• Security Awareness Training
• Cybersecurity Training
• Company Documents Training
• Passwords Training