Docs
Facility Access and Physical Security

Facility Access and Physical Security

2025.10

Bioscope AI operates in a co-working space environment managed by a subcontractor facility management provider. It is the goal of Bioscope AI to provide a safe and secure workspace for all employees while maintaining appropriate security controls.

IMPORTANT: No ePHI or other sensitive/critical data is stored on premise or accessible at physical office locations. All ePHI is stored and processed in HIPAA-compliant AWS cloud infrastructure with appropriate technical safeguards.

Because no ePHI is present at Bioscope AI’s physical office location, HIPAA physical safeguard requirements (45 CFR § 164.310) apply primarily to our data center infrastructure, which is provided by AWS. Physical security of the office workspace is managed by our co-working space provider according to their security policies and procedures.

Policy Statements

Bioscope AI policy requires that:

(a) Physical office security is managed by the co-working space facility provider in accordance with their security policies and procedures.

(b) No ePHI or other critical data (as defined in Bioscope AI Data Classification Model) may be stored, printed, or otherwise maintained at physical office locations.

(c) All employees must follow physical security requirements and procedures established by the facility management provider.

(d) All workforce members are responsible for reporting security incidents, including unauthorized access attempts or suspicious activity, to Bioscope AI Security.

(e) Employees must secure their workstations when unattended and follow clean desk policies to protect company confidential information.

(f) Building security provisions such as fire safety, emergency exits, and evacuation procedures are maintained by the facility provider according to applicable laws and regulations.

Controls and Procedures

Physical Office Security

Bioscope AI maintains office space in a professionally managed co-working facility. Physical access controls, building security, surveillance, and facility maintenance are managed by the subcontractor facility provider.

The facility provider maintains security controls including:

  • Building access control systems
  • Surveillance and monitoring
  • 24/7 facility security personnel (as applicable)
  • Fire safety and emergency response systems
  • Visitor management procedures

Bioscope AI employees must:

  • Comply with all facility provider security policies and procedures
  • Report any security concerns or incidents to Bioscope AI Security
  • Follow visitor management procedures established by the facility provider

Data Center Security

Physical security of production data centers is ensured by our cloud infrastructure service provider, AWS.

AWS data centers include comprehensive physical security controls:

  • 24/7 security guards and surveillance
  • Multi-factor access control systems
  • Environmental controls and monitoring
  • Compliance with SOC 2, ISO 27001, and other security standards

Additional details about AWS physical security can be found in AWS compliance documentation and their SOC 2 reports, available under NDA.

Workstation Security

All Bioscope AI computing equipment must be secured to protect confidential company information:

  • Workstations and laptops may only be accessed and utilized by authorized workforce members to complete assigned job responsibilities.

  • All workforce members are required to monitor their devices and report unauthorized access attempts as per the System Access Policy.

  • Computer workstations and laptops must be locked (password protected) when physically unattended.

  • Laptops should not be left unattended in public areas of the office or co-working space. Portable devices should be taken home or secured in a locked area at the conclusion of the work day.

  • All workstations purchased by Bioscope AI are company property and are distributed to users by the company.

  • Lost or stolen devices must be reported immediately to IT and Security per the Incident Response policy.

Clean Desk Policy and Procedures

Employees must secure all confidential company information in their workspace at the conclusion of the work day and when away from their workspace.

Electronic Information:

  • Computer workstations, laptops, and tablets must be locked (password protected) when physically unattended
  • Portable devices such as laptops and tablets should be taken home at the conclusion of the work day or secured in a locked area
  • Removable storage devices (USB drives, external hard drives) must be secured when not in use
  • Passwords must not be written down or stored physically

Physical Information:

  • No ePHI may be printed, stored, or maintained at physical office locations under any circumstances
  • Confidential business documents (if printed) must be immediately removed from printers
  • Confidential printed materials must be secured in locked storage when not in use or properly destroyed using cross-cut shredders
  • Sensitive documents must not be left on desks overnight or when away from the workspace

Keys and Access Cards:

  • Access cards or keys provided by the facility management provider must not be left unattended
  • Lost or stolen access cards/keys must be reported immediately to the facility provider and Bioscope AI IT/Security

Incident Reporting

All workforce members must report physical security incidents to Bioscope AI Security at security@bioscope.ai, including:

  • Unauthorized access or access attempts
  • Lost or stolen laptops, devices, or access cards
  • Suspicious activity at office locations
  • Any concerns about physical security

Incidents will be handled according to the Incident Response Policy.

Data ProtectionHR and Personnel Security