Skip to content

Physical & Environmental Security Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Physical & Environmental Security Policy
Framework Reference: Secure Controls Framework – Physical & Environmental Security (PES)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Physical & Environmental Security requirements established by Summit Technology Holdings, LLC (STH). It documents the controls used to protect FRHC facilities, systems, and sensitive information—including ePHI—against unauthorized physical access, tampering, and environmental disruption.


This standard applies to all physical locations where FRHC data is processed, stored, or transmitted, including FRHC office facilities and third-party data centers used by FRHC. It applies to all employees, contractors, vendors, and visitors who may require physical access to these locations.


FRHC’s production systems are hosted in third-party data centers that maintain appropriate physical and environmental protections, including perimeter security, fire suppression, HVAC redundancy, and power backup systems. FRHC validates these protections through vendor due diligence and review of data center compliance certifications (e.g., SOC 2 reports). FRHC office facilities implement physical access controls appropriate to the sensitivity of activities conducted.

  • Parent Policy Mapping: STH Physical & Environmental Security Policy, Section 3.1
  • SCF Mapping: PES-01 (Physical & Environmental Protections)

Physical access to FRHC facilities is authorized on a need-to-access basis. Access rights are assigned based on job function and reviewed periodically. Highly sensitive areas require explicit management approval. Access authorization records are maintained and updated promptly when roles change or employment ends.

  • Parent Policy Mapping: STH Physical & Environmental Security Policy, Section 3.2
  • SCF Mapping: PES-02 (Physical Access Authorizations)

FRHC enforces physical access controls at office entry points, including electronic badging where available. Sensitive areas with IT equipment are kept locked and accessible only to authorized personnel. Physical access at third-party data centers is managed by the hosting provider per their security controls, which FRHC validates through annual review of their compliance documentation.

  • Parent Policy Mapping: STH Physical & Environmental Security Policy, Section 3.3
  • SCF Mapping: PES-03 (Physical Access Control)

FRHC facilities use surveillance systems and access logging at entry and exit points. Monitoring records are retained in accordance with FRHC record retention requirements. Third-party data centers maintain equivalent or greater levels of physical access monitoring, validated through annual SOC 2 report review.

  • Parent Policy Mapping: STH Physical & Environmental Security Policy, Section 3.4
  • SCF Mapping: PES-05 (Monitoring Physical Access)

Visitors to FRHC facilities are required to sign in, wear visible identification, and be escorted by an authorized employee while in areas where sensitive systems or data may be accessed. Visitor logs are maintained and retained in accordance with FRHC record retention requirements.

  • Parent Policy Mapping: STH Physical & Environmental Security Policy, Section 3.5
  • SCF Mapping: PES-06 (Visitor Control)

FRHC maintains evidence of access authorization lists, visitor logs, physical access reviews, and third-party data center compliance documentation. Physical security controls are reviewed at least annually and after significant changes to facilities or hosting arrangements. Evidence is retained to support SOC 2 Type II audits and HIPAA Physical Safeguard requirements.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Physical & Environmental Security Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.310 – Physical Safeguards
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC6.3, CC6.7)
    • Availability (A1.2)

Framework Alignment:

  • PES-01 – Physical & Environmental Protections
  • PES-02 – Physical Access Authorizations
  • PES-03 – Physical Access Control
  • PES-05 – Monitoring Physical Access
  • PES-06 – Visitor Control

RevDescriptionDateApproved
-Policy createdJuly 2021M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin

Internal Use Only