Compliance & Security Framework

Northstar AI Labs has built our security program on industry-leading frameworks and regulatory requirements. Our approach to compliance is architectural—security controls are designed into our systems from the ground up. We provide comprehensive policy documentation and are actively pursuing formal certifications.

1. HIPAA Readiness

Northstar provides HIPAA-ready AI infrastructure for healthcare organizations. We execute Business Associate Agreements and implement required safeguards:

Covered Entity Support

• Business Associate Agreement: Standard BAA executed with all healthcare customers
• PHI Handling: Protected Health Information never leaves customer-controlled infrastructure
• Minimum Necessary: Access controls enforce minimum necessary standard
• Audit Controls: Complete audit trail of all PHI access and processing

Technical Safeguards

• Access Control: Unique user identification, automatic logoff, encryption
• Audit Controls: Hardware, software, and procedural mechanisms for audit trails
• Integrity Controls: Electronic mechanisms to corroborate data integrity
• Transmission Security: Encryption of all PHI in transit

Administrative Safeguards

• Designated Security Officer and Privacy Officer
• Workforce training and security awareness program
• Incident response and breach notification procedures
• Regular risk assessments and security reviews

Physical Safeguards

• Facility access controls and visitor management
• Workstation security policies
• Device and media controls for disposal and re-use

2. SOC 2 Alignment

Northstar's security program is aligned with SOC 2 Trust Service Criteria. We have implemented controls across all five trust service categories and are preparing for formal SOC 2 Type II examination:

Trust Service Criteria

• Security: Protection against unauthorized access (logical and physical)
• Availability: System availability for operation and use as committed
• Processing Integrity: System processing is complete, valid, accurate, and timely
• Confidentiality: Information designated as confidential is protected
• Privacy: Personal information is collected, used, retained, and disclosed appropriately

Key Controls

• Change management and release procedures
• Logical access and identity management
• Network security and monitoring
• Incident response and problem management
• Backup and recovery procedures
• Vendor management and oversight

3. ISO 27001 Framework

Our Information Security Management System (ISMS) is built on the ISO 27001 framework. We have implemented the required policies, procedures, and controls, and plan to pursue formal certification:

ISMS Framework

• Risk Management: Systematic identification and treatment of information security risks
• Security Policy: Documented information security policies and procedures
• Organization: Defined roles, responsibilities, and reporting structures
• Asset Management: Inventory and classification of information assets

Control Domains

• Human resource security (pre, during, and post-employment)
• Physical and environmental security
• Communications and operations management
• Access control and cryptography
• Systems acquisition, development, and maintenance
• Supplier relationships and third-party management
• Information security incident management
• Business continuity management
• Compliance with legal and contractual requirements

Continuous Improvement

• Annual internal audits of the ISMS
• Management review and security metrics
• Corrective and preventive actions tracking
• Preparing for external certification audit

4. FedRAMP Alignment

Northstar infrastructure is designed with FedRAMP requirements in mind for organizations requiring federal-grade security controls:

NIST 800-53 Based Controls

• Impact Level: Architecture designed to support Moderate and High impact levels
• Control Baseline: Security controls based on NIST SP 800-53
• Continuous Monitoring: Monitoring procedures aligned with ConMon requirements
• Documentation: Security documentation following SSP format available upon request

NIST 800-53 Control Families

• Access Control (AC) - Identity and access management
• Audit and Accountability (AU) - Logging and monitoring
• Security Assessment and Authorization (CA) - Ongoing assessment
• Configuration Management (CM) - Baseline and change control
• Contingency Planning (CP) - Disaster recovery and business continuity
• Identification and Authentication (IA) - Strong authentication
• Incident Response (IR) - Incident handling procedures
• Maintenance (MA) - System maintenance controls
• Media Protection (MP) - Data storage and handling
• Physical and Environmental Protection (PE) - Facility security
• Planning (PL) - Security planning
• Personnel Security (PS) - Background checks and training
• Risk Assessment (RA) - Risk management
• System and Services Acquisition (SA) - Secure development
• System and Communications Protection (SC) - Encryption and isolation
• System and Information Integrity (SI) - Flaw remediation and monitoring

5. Additional Frameworks

Northstar supports compliance with additional regulatory and industry frameworks:

Privacy Regulations

• GDPR: EU General Data Protection Regulation compliance
• CCPA/CPRA: California Consumer Privacy Act compliance
• State Privacy Laws: Support for emerging state privacy requirements
• Data Processing Agreements: Standard DPAs with appropriate clauses

Financial Services

• GLBA: Gramm-Leach-Bliley Act safeguards
• PCI DSS: Payment Card Industry Data Security Standard (where applicable)
• SEC/FINRA: Recordkeeping and supervision requirements

Legal Industry

• Attorney-Client Privilege: Architecture supporting privilege protection
• ABA Guidelines: Compliance with ethics opinions on technology use
• E-Discovery: Data preservation and collection capabilities

6. Audit & Assessment Support

Northstar supports customer compliance efforts with:

• Policy Documentation: Comprehensive security policies available upon request
• Customer Audits: Support for customer-initiated audits with reasonable notice
• Questionnaire Support: Timely responses to security questionnaires (SIG, CAIQ, custom)
• Evidence Collection: Assistance gathering evidence for customer audits
• Security Assessments: Internal vulnerability assessments and remediation tracking

7. Compliance Documentation

The following documentation is available to customers:

8. Compliance Roadmap

Northstar is committed to continuously expanding our compliance certifications:

• Current: HIPAA-ready (BAA available), SOC 2 aligned controls, ISO 27001 framework implemented, NIST 800-53 based security program
• In Progress: SOC 2 Type II examination preparation, ISO 27001 certification readiness
• Planned: HITRUST CSF, StateRAMP, third-party penetration testing program

9. Shared Responsibility

Compliance is a shared responsibility between Northstar and customers:

Northstar Responsibilities

• Infrastructure security and compliance controls
• Platform security (encryption, access control, monitoring)
• Security policy development and maintenance
• Security updates and vulnerability management
• Incident detection and response procedures

Customer Responsibilities

• User access management and identity governance
• Data classification and handling procedures
• Application-level security controls
• Compliance with applicable regulations for their industry
• Training and awareness for their personnel

10. Contact Information

For compliance inquiries or to request documentation:

Legal Entity: North Star Software, LLC (DBA Northstar AI Labs)
Compliance Team: compliance@northstarsoftware.net
Security Team: security@northstarsoftware.net
General Inquiries: hello@northstarsoftware.net
Address: Minneapolis, MN