Security and Privacy
We comply with the HIPAA Security Rule guidance; you can find the details below.
Data Security
- Each customer’s data is stored in a separate database. We use access control at a database level.
- Our application is read-only except for uploading EDI files. This reduces the risk of SQL injection and other vulnerabilities.
- The database is password-protected with a complex password rotating every 90 days
- Uploaded files are periodically deleted from servers
- If a customer terminates the subscription to the application, we delete their database and corresponding files
- We use discs and backups with at-rest encryption
Application Security
- We use NIST-compliant password policies (password complexity, password expiration, etc.)
- We use the industry leader Okta as our authentication provider. We do not store user credentials in our database.
- Application APIs are disabled by default. We use OAuth 2 for API authorization, which is more secure than API keys.
- We always use the latest LTS Java release with up-to-date security patches
Network/Server Security
- We apply strict firewall rules; only the HTTPS port is open to the public
- We use only TLS-encrypted communication even within our own network
- The data and the application are hosted on dedicated servers residing in a separate network that is isolated from our public servers
- We follow best practices for Linux hardening (root and password logins are disabled, unneeded libraries are removed, role-based access, etc.())
- Access to production servers/databases is audited
- All servers and databases are patched on a regular basis
- All servers are hosted in the US
Code Security
- We perform security testing for every release
- We scan all third-party dependencies/libraries for vulnerabilities
- All dependencies are updated with each release
- We perform emergency releases in case of zero-day exploits in third-party libraries