Security and Privacy

We comply with the HIPAA Security Rule guidance; you can find the details below.

Data Security

  • Each customer’s data is stored in a separate database. We use access control at a database level.
  • Our application is read-only except for uploading EDI files. This reduces the risk of SQL injection and other vulnerabilities.
  • The database is password-protected with a complex password rotating every 90 days
  • Uploaded files are periodically deleted from servers
  • If a customer terminates the subscription to the application, we delete their database and corresponding files
  • We use discs and backups with at-rest encryption

Application Security

  • We use NIST-compliant password policies (password complexity, password expiration, etc.)
  • We use the industry leader Okta as our authentication provider. We do not store user credentials in our database.
  • Application APIs are disabled by default. We use OAuth 2 for API authorization, which is more secure than API keys.
  • We always use the latest LTS Java release with up-to-date security patches

Network/Server Security

  • We apply strict firewall rules; only the HTTPS port is open to the public
  • We use only TLS-encrypted communication even within our own network
  • The data and the application are hosted on dedicated servers residing in a separate network that is isolated from our public servers
  • We follow best practices for Linux hardening (root and password logins are disabled, unneeded libraries are removed, role-based access, etc.())
  • Access to production servers/databases is audited
  • All servers and databases are patched on a regular basis
  • All servers are hosted in the US

Code Security

  • We perform security testing for every release
  • We scan all third-party dependencies/libraries for vulnerabilities
  • All dependencies are updated with each release
  • We perform emergency releases in case of zero-day exploits in third-party libraries