Glossary

A deployment where the system is completely isolated from external networks, including the internet. Air-gapped deployments are used for highly sensitive applications requiring maximum security.

A Business Associate Agreement is a contract between a HIPAA covered entity and a business associate that establishes permitted uses and disclosures of PHI and security safeguards.

The process of evaluating an AI system for unfair bias across different demographic groups. Bias testing helps identify and mitigate discriminatory outcomes in AI decision-making.

The California Consumer Privacy Act gives California residents rights over their personal information, including the right to know what data is collected, delete it, and opt out of its sale.

A Data Processing Agreement is a legally binding contract between a data controller and data processor, required under GDPR when personal data processing is outsourced.

The degree to which an AI system's decisions can be understood by humans. Explainable AI (XAI) helps users understand how and why a model made a particular prediction or decision.

The Federal Risk and Authorization Management Program is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.

The General Data Protection Regulation is a comprehensive data privacy law that applies to organizations operating in the European Union or processing data of EU residents.

The Health Insurance Portability and Accountability Act sets standards for protecting sensitive patient health information (PHI). HIPAA compliance is mandatory for covered entities and their business associates.

The HITRUST CSF (Common Security Framework) is a certifiable framework that harmonizes requirements from various regulations and standards, commonly used in healthcare to demonstrate comprehensive security practices.

An international standard for information security management systems (ISMS). Organizations certified to ISO 27001 have implemented a systematic approach to managing sensitive information.

Documentation that provides information about an ML model, including its intended use, performance characteristics, limitations, and ethical considerations. Model cards promote transparency and responsible AI development.

Deployment model where software is installed and runs on computers at the customer's physical location, giving organizations complete control over their infrastructure and data.

The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

Protected Health Information is individually identifiable health information held or transmitted by a covered entity or business associate, including demographic data, medical records, and payment information.

Personally Identifiable Information is any data that could potentially identify a specific individual, such as name, address, social security number, or biometric data.

An adversarial testing approach where a team attempts to find vulnerabilities, biases, or harmful outputs in an AI system. Red teaming helps identify risks before deployment.

Software as a Service is a cloud-based delivery model where software is hosted by a provider and accessed by customers over the internet, typically via subscription.

Service Organization Control 2 is an auditing procedure developed by the AICPA that evaluates how well a service provider manages data based on five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy.

A SOC 2 audit that evaluates the operating effectiveness of controls over a period of time (typically 6-12 months), as opposed to Type I which only evaluates control design at a point in time.

A security authorization program for cloud service providers serving state and local government agencies. Similar to FedRAMP but with requirements tailored for non-federal government use.

A Virtual Private Cloud is an isolated cloud environment dedicated to a single organization. VPCs provide enhanced security and control while maintaining cloud scalability.