Security & Compliance
Data Protection
Sensitive and confidential information is protected by:
- HIPAA compliant cloud provider: Amazon Web Services (AWS)
We use cloud services provided by AWS and we have a BAA signed with them.
- Access Control
- application: requires user and password and users are deactivated when no longer need to access the data.
- admin(infra): infra team has access to production resources and an audit log is in place.
- Encryption
- in transit: web application using HTTPS (AWS certificate)
- at rest: file storage using AWS S3 Encryption (SSE-S3) and database encryption using AWS RDS encryption (AES-256)
- Network Segmentation
Development and production environments are physically isolated in different regions. Networks and resources are not connected.
Data Purging
When we end a contract with an organization, we purge the records associated to them. That includes files and the database and AWS ensures the process is HIPAA compliant.
Detection capabilities
We use Datadog for infrastructure observability to alert us on API endpoints attacks (logs, traces) and network access.
Patch Management Process
- Hardware patch management is handled by Amazon Web Services.
- Application and Operative System: we use actively supported OS, application librarie and vulnerabilities detection system from Github.
Data Backup
Our two data sources are: the database (AWS RDS) and file storage (AWS S3)
- AWS RDS is a managed database service from AWS and snapshots are encrypted and stored in multiple availability zones to prevent data loss. We take daily snapshots and store them for 90 days.
- AWS S3 is a managed file store service from AWS which provides encrypted data storage and versioning. Versions are stored up to 90 days in the past.