Security & Data Protections
Ensuring the privacy and security of your data is a top priority for us. You can rest easy knowing that we take every precaution to provide an online service with high grade security.
Product security
Secure access: Logging in is secured by multi-factor authentication (PropelAuth).
Permissions: We enable permission levels within the app to be set for your staff so only those who've been invited can access a client’s information. (PropelAuth)
Network and application security
Data Hosting and Storage: Panacea services and data are hosted in Amazon Web Services (AWS).
Failover and Disaster Recovery: Regular testing of the recovery processes.
Virtual Private Cloud: All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
Backups: Data backups are taken regularly. These backups allow the creation of a replica environment within a minimal period of time. Backups are stored in a different AWS availability zone, with restricted access.
Customer Support: Panacea operates a support ticketing system allowing administrators and end-users to report any issues or errors they encounter
Monitoring: An internal production monitoring dashboard aggregates information from multiple internal and 3rd-party tools for monitoring its production environment and protecting it against potential threats or errors:
An internal notification mechanism is in place to alert operations and support teams on different anomalies detected in production.
AWS analytical tools are configured to continuously monitor production environment status, including server availability, CPU, memory, disk space and other key metrics; the Cloud Monitoring tool also sends alerts to operations team based on preconfigured policies.
Vercel usage service monitors frontend functioning
Permissions and Authentication
All-access to personal confidential data on IT systems can be attributed to individuals and logged. The principle of ‘least privilege’ is applied, so that users do not have access to data they have no business need to see.
We have 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS to ensure access to cloud services are protected.
Encryption
All data sent to or from Panacea is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
24/7 Incident Response
We understand that Panacea may be critical to the well-being of your clients and business. That's why we have on-call engineers available at all times. Panacea implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
Additional Security features
Training: All employees complete HIPAA training annually.
Policies: Panacea has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Confidentiality: All employee contracts include a confidentiality agreement.
Payments: All payments made to Panacea go through Stripe. Details about their security setup can be found at Stripe's security page.
Data Protection: We follow the required HIPAA guidelines
Data Sharing and Transfers: Like most companies, we use a number of third parties as part of our data processing, for example cloud services and technology services. We have a due diligence process with all our vendors and all sub processors of personal data have a Business Associates Agreement in place. We do not sell your data to anybody.
Questions?
If you think you may have found a security vulnerability, please get in touch with our team at support@openpanacea.com.