Compliance Audits and External Communications

2025.10

Bioscope AI may be requested occasionally to share additional details regarding its compliance, privacy and security program by an external entity such as a customer, media, legal or law enforcement. Such external communication, beyond what is already publicly published, needs to comply with the following policies and procedures.

Policy Statements

Bioscope AI policy requires that:

(a) Bioscope AI operations must comply with all applicable laws, regulations, security standards and frameworks. External audits shall be conducted accordingly to each applicable compliance requirement.

• HIPAA/HITECH. Bioscope AI must comply with all requirements listed in the HIPAA (Health Insurance Portability and Accountability Act of 1996) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

• NIST. Bioscope AI security shall implement the applicable controls outlined in NIST Special Publication 800-53.

(b) All external communications related to compliance and customer/employee privacy must follow pre-established procedures and handled by approved personnel. This includes but is not limited to distribution of audit reports, assessment results, incidents and breach notification.

(c) Audit and compliance reports may be shared with an external party only when under signed NDA and approved by Bioscope AI Security and/or Privacy Officer.

Controls and Procedures

Compliance Program Management

Bioscope AI management and security/compliance team has identified and regularly reviews all relevant statutory, regulatory, and contractual requirements.

Bioscope AI’s compliance policy includes requirements to meet any and all applicable compliance requirements.

Additionally, the Vendor Risk Management policies and procedures specify the details related to contractual agreements with clients, partners and vendors, as well as requirements and process related to intellectual property rights and the use of proprietary software products.

Requesting Audit and Compliance Reports

Bioscope AI, at its sole discretion, shares audit reports and Corrective Action Plans (CAPs) with customers on a case by case basis. All audit reports are shared under explicit NDA in Bioscope AI format between Bioscope AI and party to receive materials. Audit reports can be requested by Bioscope AI workforce members for Customers or directly by Bioscope AI Customers.

The following process is used to request audit reports:

1. A request may be sent by email to compliance@bioscope.ai or by submitting a request via Bioscope AI Internal Support Portal or Email. In the request, please specify the type of report being requested and any required timelines for the report.
2. An Issue with the details of the request into the Bioscope AI Security Project on Linear, which is used to track requests status and outcomes.
3. Bioscope AI security team will confirm if a current NDA is in place with the party requesting the audit report. If there is no NDA in place, Bioscope AI will send one for execution.
4. Once it has been confirmed that an NDA is executed, Bioscope AI staff will move the Linear Issue to “Under Review”.
5. The Bioscope AI Security Officer or Privacy Officer must Approve or Reject the Issue. If the Issue is rejected, Bioscope AI will notify the requesting party that we cannot share the requested report.
6. If the Issue has been Approved, Bioscope AI will send the customer the requested audit report and complete the Linear Issue for the request.

See detailed policy and procedures in Breach Notification.

External Audits of Information Access and Activity

Prior to contracting with an external audit firm, Bioscope AI shall:

• Outline the audit responsibility, authority, and accountability;
• Choose an audit firm that is independent of other organizational operations;
• Ensure technical competence of the audit firm staff;
• Require the audit firm’s adherence to applicable codes of professional ethics;
• Obtain a signed HIPAA business associate agreement;
• Assign organizational responsibility for supervision of the external audit firm.

Whenever possible, a third party auditing vendor should not be providing the organization IT oversight services (e.g., vendors providing IT services should not be auditing their own services to ensure separation of duties).

Contacts for External Communications Requests

Direct all other communication requests to one of the following:

• For incident reporting, vulnerability disclosure and other security related inquiries:

  • security@bioscope.ai
  • https://security.bioscope.ai/docs/

• For privacy concerns, including report of violation:

  • privacy@bioscope.ai
  • https://www.bioscope.ai/privacy-policy

• For all compliance related issues, including request of audit reports:

  • compliance@bioscope.ai

Continuous Compliance Monitoring

The status of compliance is tracked internally via multiple security tools. Compliance dashboards are configured with applicable internal and external standards and frameworks. Any potential gaps detected are reported on the compliance dashboards.