General Security Statement (p.d 5.4)

The purpose of this document is to provide a concise description of the major security philisophy of the .decimal p.d software and related systems. This document should provide an understanding of the risk profile to end users of the software, which will help establish the mindset necessary to answer many of the commonly asked questions regarding the safety and security of the application.

The first question to consider when assessing the safety or security of a system is typically, what is the risk of a breach. To answer this question regarding the p.d software (and the entire process of ordering patient-specific medical devices from our company) we need to first understand the following:

• p.d is a desktop software installed on customer supplied workstations
  • (customers are free to configure their workstations to meet their IT/IS requirements)
• All data is stored on customer systems behind their firewall
• p.d communicates to our company servers via authenticated HTTPS API requests
• All external communications are initiated by customer end users through the p.d software
  • (i.e. all communications are outbound only and our company has NO access to your network)
• p.d sends only the minimum data necessary to place an order
  • (i.e. no PHI or PII or sensitive billing information is included in the order files)
• A third party service, Auth0, is used to store passwords, so our staff does not have access to any end user password information

Based on these high level system features, it should be evident that the Information Security risk to our customers due to a breach of p.d or .decimal company systems is very low, as:

1. No patient information would be exposed
2. No sensitive customer information would be exposed

Our goal at .decimal is to make it easy for customers to do business with us. This is precisely why we have implemented processes that use the minimal data necessary to place orders and why we provide standalone software that is compatible with most workstation configurations. By framing the review of the p.d software and the .decimal device ordering process in the context of a “Low Risk” service, we hope that customers are better able to streamline the IT/IS review process and help facilitate the quick adoption of our outsourced manufacturing services into their clinic to improve patient care.