Security Policy

1. Security Commitment

TeleMed Soluciones BPO S.A.S. recognizes that information security is a cornerstone of delivering BPO services to the healthcare sector. We are committed to protecting the confidentiality, integrity, and availability of information belonging to our clients, their patients, and our organization.

2. Scope

This policy applies to:

• All information processed in the delivery of TeleMed's BPO services
• All technology systems, platforms, and tools used
• All employees, contractors, and third parties with access to information
• Data from users who interact with TeleMed's website

3. Technical Security Measures

3.1 Encryption

• All communications between the website and users are secured via HTTPS with SSL/TLS certificates
• Data at rest in our systems is encrypted using AES-256 standard
• Passwords are stored exclusively using secure hashing functions (bcrypt/Argon2)

3.2 Access Controls

• Least-privilege principle: each employee accesses only the information required for their role
• Multi-factor authentication (MFA) for all access to critical systems
• Periodic review of permissions and access rights
• Immediate access revocation upon end of employment or contractual relationship

3.3 Infrastructure

• Servers hosted with cloud providers certified under SOC 2 Type II
• Network segmentation and firewalls configured with default-deny policies
• Continuous security event monitoring (SIEM)
• Periodic penetration testing and vulnerability assessments

4. Organizational Measures

4.1 Staff Training

All TeleMed personnel receive mandatory information security training upon onboarding and periodically thereafter, with special emphasis on:

• Secure handling of health information (PHI/sensitive data)
• Recognizing and reporting phishing attempts and social engineering attacks
• Clean desk and screen lock policies
• Security incident reporting procedures

4.2 Confidentiality Agreements

All employees and third parties with access to client information are required to sign Non-Disclosure Agreements (NDAs) and are bound by non-disclosure obligations both during and after their relationship with TeleMed.

5. HIPAA Compliance

For services provided to U.S. healthcare clients, TeleMed operates in alignment with the Health Insurance Portability and Accountability Act (HIPAA):

• Business Associate Agreements (BAAs) signed with all covered clients
• Specific controls for handling Protected Health Information (PHI)
• PHI access segregation: only authorized and necessary personnel may access patient data
• Audit logging of all access to protected information
• Breach Notification response plan in accordance with HIPAA requirements

6. Security Incident Management

TeleMed maintains a formal incident management process that includes:

• Identification and classification of the incident
• Immediate containment and impact assessment
• Notification to affected clients within 72 hours of incident confirmation
• Forensic investigation and root cause remediation
• Documentation and lessons learned

To report a security incident: seguridad@telemed.com.co

7. Business Continuity

TeleMed maintains business continuity and disaster recovery plans that include:

• Encrypted, geographically distributed backups
• Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) per service
• Periodic backup restoration testing
• Contingency plans for critical infrastructure failure scenarios

8. Data Retention and Secure Deletion

Data is retained only for as long as necessary to fulfill service purposes and legal obligations. Upon expiration of the retention period or upon client request, data is securely deleted using methods that prevent recovery (secure erasure / certified media destruction).

9. Vendors and Third Parties

TeleMed assesses the security posture of technology vendors prior to engagement and contractually requires them to maintain equivalent security standards. Third parties with access to client data must comply with this policy's requirements and sign the appropriate agreements.

10. Policy Review

This policy is reviewed at least once a year or when significant organizational, technological, or regulatory changes occur. The current version will always be available on the website.

11. Security Contact

To report vulnerabilities, incidents, or security-related inquiries:

TeleMed Soluciones BPO S.A.S.

Security email: seguridad@telemed.com.co

Website: www.telemed.com.co

Address: Medellín, Colombia