Security and Privacy

We comply with the HIPAA Security Rule guidance; you can find the details below.

Data Security

Each customer’s data is stored in a separate database. We use access control at a database level.
Our application is read-only except for uploading EDI files. This reduces the risk of SQL injection and other vulnerabilities.
The database is password-protected with a complex password rotating every 90 days
Uploaded files are periodically deleted from servers
If a customer terminates the subscription to the application, we delete their database and corresponding files
We use discs and backups with at-rest encryption

We use NIST-compliant password policies (password complexity, password expiration, etc.)
We use the industry leader Okta as our authentication provider. We do not store user credentials in our database.
Application APIs are disabled by default. We use OAuth 2 for API authorization, which is more secure than API keys.
We always use the latest LTS Java release with up-to-date security patches

We apply strict firewall rules; only the HTTPS port is open to the public
We use only TLS-encrypted communication even within our own network
The data and the application are hosted on dedicated servers residing in a separate network that is isolated from our public servers
We follow best practices for Linux hardening (root and password logins are disabled, unneeded libraries are removed, role-based access, etc.())
Access to production servers/databases is audited
All servers and databases are patched on a regular basis
All servers are hosted in the US

We perform security testing for every release
We scan all third-party dependencies/libraries for vulnerabilities
All dependencies are updated with each release
We perform emergency releases in case of zero-day exploits in third-party libraries