Our Security Standards Information security is a foundational requirement at NDS and is embedded into how we design, operate, and govern our systems and workflows. Our security program is aligned with recognized healthcare and enterprise standards and is designed to support both regulated data handling and AI-enabled operations.
NDS operates in compliance with key industry frameworks, including HIPAA, ISO 27799, and SOC 2 (SSAE 16). Our controls are regularly assessed through independent audits conducted by globally recognized third-party firms — providing verification that documented policies are consistently enforced in practice.
Customer data remains within customer-designated environments or US-based data centers, with no data processed or stored outside the United States. Access controls, encryption, and monitored systems are applied throughout the data lifecycle to protect confidentiality and integrity. All data is encrypted both at rest and in transit.
Each client operates within a dedicated, isolated server environment. All databases, AI models, logs, and application components are fully segregated at the infrastructure level. No cross-client access is permitted, and no inter-server communication or shared storage exists between client environments. Insights, outputs, or metadata derived from one client’s data are never shared with or applied to another client.
NDS applies appropriate PHI handling controls based on the requirements of each solution. Where PHI is not required for processing, patient identifiers are de-identified before any AI processing occurs. Where PHI is operationally necessary, it is handled within protected, access-controlled environments with encryption and audit logging throughout. In all cases, data access is limited to what is required for the specific workflow, following the principle of minimum necessary use.
Access to client environments is enforced through Role-Based Access Control (RBAC), with user-level authentication tied to specific project assignments. Only authorized NDS personnel for that client can access the environment. Configuration management, deployment access, and version control are restricted to authorized engineering personnel.
All AI systems operate within closed, air-gapped environments with no outbound API calls and no dependency on third-party AI services. Models are fine-tuned and hosted within client-specific servers. Firewall controls are deployed at every boundary to prevent data leakage and unauthorized access. Clients retain the ability to opt out of model improvement using their data, with configurable controls built into the system architecture.
Operational Resilience: Our security and continuity processes are designed to ensure operational resilience. Robust business continuity and disaster recovery mechanisms are in place to support uninterrupted service delivery and rapid restoration in the event of an incident — minimizing disruption while maintaining compliance and control.
© 2026 NDS InfoServ. All rights reserved.