Skip to content

Cloud Security Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Cloud Security Policy
Framework Reference: Secure Controls Framework – Cloud Security (CLD)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Cloud Security requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to govern the selection, configuration, and monitoring of cloud services to protect data, meet regulatory obligations, and maintain service availability.


This standard applies to all cloud services used by FRHC, including infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) platforms—whether directly contracted or consumed through third-party vendors—across production and non-production environments that process, store, or transmit ePHI or other sensitive data. FRHC’s primary cloud providers are Microsoft Azure and Wasabi.


All cloud services used at FRHC are reviewed by IT and compliance personnel prior to adoption to ensure that security, privacy, and data residency requirements are met. FRHC currently uses Microsoft Azure for backup compute environments and Wasabi for encrypted off-site backup storage. Both services are under contract and subject to annual security reviews. Offboarding processes include secure data transfer or deletion, revocation of access, and contract termination.

  • Parent Policy Mapping: STH Cloud Security Policy, Section 3.1
  • SCF Mapping: CLD-01 (Cloud Services)

FRHC enforces strict geographic restrictions requiring that all cloud-based data storage and processing occur within the United States. Microsoft Azure services are configured to reside in the US-EAST-2 datacenter located in Virginia. All Wasabi storage buckets are located in Wasabi’s US-East region. These configurations ensure compliance with HIPAA data residency obligations and applicable business agreements.

  • Parent Policy Mapping: STH Cloud Security Policy, Section 3.2
  • SCF Mapping: CLD-09 (Geolocation Requirements for Processing, Storage and Service Locations)

FRHC uses Microsoft Defender for Cloud Apps as its Cloud Access Security Broker (CASB) within the Microsoft Azure and Microsoft 365 ecosystem. This solution provides visibility into cloud activity, application usage, and risk indicators across the organization. It enables enforcement of conditional access policies, threat detection, and anomaly monitoring for users accessing cloud-based systems and services.

  • Parent Policy Mapping: STH Cloud Security Policy, Section 3.3
  • SCF Mapping: CLD-11 (Cloud Access Security Broker (CASB))

FRHC maintains evidence supporting cloud security controls, including cloud service approvals, risk assessments, geolocation configurations, and CASB monitoring reports. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Cloud Security Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
    • 45 CFR §164.312(b) – Audit Controls
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC7.2, CC7.3)
    • Confidentiality (C1)
    • Availability (A1.2)

Framework Alignment:

  • CLD-01 – Cloud Services
  • CLD-09 – Geolocation Requirements for Processing, Storage and Service Locations
  • CLD-11 – Cloud Access Security Broker (CASB)

RevDescriptionDateApproved
-Policy createdMarch 2020M Machin
1.0Formatting UpdateSeptember 2022WSI
1.1Policy updated and approved for 2024May 2024WSI
2.0Updated and approved for 2025July 2025M Machin
3.0Converted to StandardApril 2026M Machin
3.1Corrected parent policy mapping references to current section format (Section N → Section 3.x)April 2026M Machin

Internal Use Only