Information Security (iperceptions/Astute VoC)
Last Updated: November 23, 2018.
iperceptions offers its solution in a SaaS model as an annual subscription with a web-based security login. The portal application, as well as all data at rest, are hosted in SSAE16-certified Tier-3 data centers located in Canada. A global network of cloud-based points of presence is also used for collecting transient data such as collection and clickstream data.
To ensure business remains uninterrupted, we operate under a 99.5% SLA availability commitment. Average monthly availability of 99.9% for the period of 2014 to 2018. Production systems are configured for high-availability and scalability with active 24/7 monitoring. We have a dedicated Online Operations Team that can be reached 24/7 through the Technical Emergency Hotline. The company also maintains a Business Continuity Plan (BCP).
Customer data is one of the most valuable assets our clients have. That is why our top priority is delivering a comprehensive, high-performance solution with a focus on keeping our customers’ data safe, their interactions secure, and their businesses protected.
Compliance and Certifications
iperceptions’ operations are governed by a formal Governance Risk and Compliance (GRC) Information Security program, with documented Information Security and Privacy policies. Our security guidance is aligned with the HITRUST CSF, a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management.
Developed in collaboration with information security professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security framework. Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements.
By continuing to improve and update the framework, the HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. This commitment and expertise demonstrated by HITRUST ensures that organizations leveraging the framework are prepared when new regulations and security risks are introduced.
We have Information Security policies in place that cover the following areas: Compliance, User Training, Personnel Screening, Code of Conduct, Logical Access, Network Security, Incident Response Handling, Information Systems Development and Maintenance, Information Governance, Information Exchange, Encryption Management, Audits & Reviews and Hosting Security. Information Security policies are formally acknowledged by employees and suppliers and training is provided yearly. Regular assessment reviews of our suppliers’ Information Security posture are conducted and documented.
iperceptions’ virtual and physical servers are hosted at Tier III, SSAE-16 Type II Certification and SOC II Type II Certification compliant facilities. Our facilities feature 24-hour manned security, biometric access control, video surveillance, and physical locks. The co-location facilities are powered by redundant power, each with UPS and backup generators. All systems, networked devices, and circuits are constantly monitored by both iperceptions and the co-location providers. The latest compliance reports can be made available for review upon request.
Our network is protected by redundant ICSA-certified layer 7 firewalls, best-of-class router technology, regular audits, network and application layer DoS protection and correlated multi-layer threat scanning that monitors for malicious traffic and network attacks. Appropriate logs and automatic alerts are maintained on all network systems.
All sensitive communications with iperceptions servers are encrypted using industry standard Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, and mitigates eavesdropping and spoofing between mail servers. VPN connection is only attributed on a needs basis, and employees use a VPN with token-based two-factor authentication to connect with our systems. For email, our product supports and prefers the latest iterations of TLS. Automated transmission of data files and deliverables are performed through secure FTPS, SFTP or HTTPS.
All access to data within iperceptions is governed by access rights and authenticated by username and password. Our security architecture ensures need to know segregation of customer data. Additional access controls include network IP restrictions. Iperceptions’ Online Operations Team, as well as specific members of our Development Team, are the only individuals with access to iperceptions’ servers and production databases. Other iperceptions employees do not have access to iperceptions’ production servers.
iperceptions’ SaaS platform follows industry best practices on secure credential storage by storing hashed and salted passwords. iperceptions’ SaaS platform supports task-based granular access privileges and configurable authentication settings for the duration of session inactivity time-outs, password length, complexity, expiry, and limited number of retries. iperceptions’ SaaS platform maintains a robust application audit log, to include security events such as user logins or configuration changes.
We sub-contract yearly manual application penetration tests.
Archived data and backups are treated with the same level of care as active data. Access to backups and to the restoration process are restricted. We maintain a disposition processes for records and media. Hard copy media, such as paper, are shredded and or destroyed beyond reconstruction. All data storage is properly sanitized before destruction or redeployment.
We maintain a process that enforces notification to the affected customer within twenty-four (24) hours of an incident related to the security of information that likely or effectively resulted in wrongful access to data. Security incidents include the following: unauthorized physical access or breach, unauthorized logical access or breach, malware, DoS, breach of confidentiality, systems access by an employee or contractor without appropriate clearance for such access or who otherwise use the systems inappropriately. Clients will be notified of the approximate date and time of the incident. They will also be provided with a summary of all relevant facts as well as of actions taken to rectify the processes and any negative impact from the incident.
To deliver its services, iperceptions must collect certain user information, including first/last name, email address and account level passwords for accessing iperceptions’ SaaS platform. Unless expressly authorized, iperceptions will not disclose this confidential information to any third party or use this information in any manner other than to deliver the agreed upon services. With its users’ express consent, iperceptions sends service update messages to its users at the email addresses they provided when requesting the service.
We welcome any further questions, are happy to provide clarifications when needed, and are open to audits by our customers. Please contact firstname.lastname@example.org for more information.