Cloud Security Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Cloud Security Policy
Framework Reference: Secure Controls Framework – Cloud Security (CLD)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Cloud Security requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to govern the selection, configuration, and monitoring of cloud services to protect data, meet regulatory obligations, and maintain service availability.
2. Applicability
Section titled “2. Applicability”This standard applies to all cloud services used by FRHC, including infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) platforms—whether directly contracted or consumed through third-party vendors—across production and non-production environments that process, store, or transmit ePHI or other sensitive data. FRHC’s primary cloud providers are Microsoft Azure and Wasabi.
3. Standard
Section titled “3. Standard”3.1 Cloud Services
Section titled “3.1 Cloud Services”All cloud services used at FRHC are reviewed by IT and compliance personnel prior to adoption to ensure that security, privacy, and data residency requirements are met. FRHC currently uses Microsoft Azure for backup compute environments and Wasabi for encrypted off-site backup storage. Both services are under contract and subject to annual security reviews. Offboarding processes include secure data transfer or deletion, revocation of access, and contract termination.
- Parent Policy Mapping: STH Cloud Security Policy, Section 3.1
- SCF Mapping: CLD-01 (Cloud Services)
3.2 Geolocation Requirements
Section titled “3.2 Geolocation Requirements”FRHC enforces strict geographic restrictions requiring that all cloud-based data storage and processing occur within the United States. Microsoft Azure services are configured to reside in the US-EAST-2 datacenter located in Virginia. All Wasabi storage buckets are located in Wasabi’s US-East region. These configurations ensure compliance with HIPAA data residency obligations and applicable business agreements.
- Parent Policy Mapping: STH Cloud Security Policy, Section 3.2
- SCF Mapping: CLD-09 (Geolocation Requirements for Processing, Storage and Service Locations)
3.3 Cloud Access Security Broker (CASB)
Section titled “3.3 Cloud Access Security Broker (CASB)”FRHC uses Microsoft Defender for Cloud Apps as its Cloud Access Security Broker (CASB) within the Microsoft Azure and Microsoft 365 ecosystem. This solution provides visibility into cloud activity, application usage, and risk indicators across the organization. It enables enforcement of conditional access policies, threat detection, and anomaly monitoring for users accessing cloud-based systems and services.
- Parent Policy Mapping: STH Cloud Security Policy, Section 3.3
- SCF Mapping: CLD-11 (Cloud Access Security Broker (CASB))
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting cloud security controls, including cloud service approvals, risk assessments, geolocation configurations, and CASB monitoring reports. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Cloud Security Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
- 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
- 45 CFR §164.312(b) – Audit Controls
- AICPA SOC 2 Trust Services Criteria:
- Security (CC7.2, CC7.3)
- Confidentiality (C1)
- Availability (A1.2)
Framework Alignment:
- CLD-01 – Cloud Services
- CLD-09 – Geolocation Requirements for Processing, Storage and Service Locations
- CLD-11 – Cloud Access Security Broker (CASB)
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | March 2020 | M Machin |
| 1.0 | Formatting Update | September 2022 | WSI |
| 1.1 | Policy updated and approved for 2024 | May 2024 | WSI |
| 2.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 3.0 | Converted to Standard | April 2026 | M Machin |
| 3.1 | Corrected parent policy mapping references to current section format (Section N → Section 3.x) | April 2026 | M Machin |
