At Prosody, we recognize the highly sensitive nature of data entrusted to us by our partners. We also recognize the regulatory requirements set forth by HIPAA / HITECH and industry best practices and standards (e.g., AICPA Trust Services Principles and ISO27001 / 2) and strive to meet and exceed those requirements. The goal of this Security Statement is to ensure transparency regarding our security practices, and to help reassure you that your data is appropriately protected.You may report security issues to us at firstname.lastname@example.org
DATA CENTER SECURITY
Prosody utilizes Amazon Web Services (“AWS”) in order to take advantage of the elasticity, reliability and security of the AWS Infrastructure as a cloud service.All data is stored and processed through AWS’ certified-secure facilities:
· AWS hosting facilities are SOC Type 1 and 2 certified and certified to meet ISO standards
· AWS hosting facilities accessible only by biometric scanning
· 24 / 7 monitoring by security guards
· 24 / 7 video surveillance
· The AWS cloud infrastructure meets the requirements of an extensive list of global security standards, including ISO 27001, SOC, HIPAA / HITECH, FedRAMP and the PCI Data Security Standard.
· Performance and availability metric monitoring tools alert support teams for quick detection and triage of application issues.Internet-facing services and operating system packages are assessed for security vulnerabilities on a continuous basis.
· Prosody uses encryption and supports TLS for all communication.
· A web application firewall is configured to filter application access in multiple tiers.
· Sensitive data and electronic files are encrypted through use of serverless technologies.
· Prosody extensively monitors application usage from a security perspective and receives near real-time notifications for security events.
· Passwords are stored using a secure hashing algorithm with an industry standard work factor.
· Web application security is regularly monitored.
EMPLOYEE TRAINING AND POLICIES
· All Prosody employees are bound by confidentiality agreements and stringent policies regarding HIPAA compliance and data security.
· All Prosody employees receive regular training on HIPAA / HITECH compliance obligations and security best practices.
· Prosody’s Compliance / Privacy Officer and Chief Information Security Officer oversee the implementation and enforcement of Prosody’s HIPAA privacy, security and other compliance policies.
DATA LOSS PREVENTION AND BREACH PREPAREDNESS
· Disaster recovery processes are tested on a quarterly basis using automation for data recovery and application restoration.
· DLP (Data Loss Prevention) solutions and data segmentation restrictions are utilized to detect and prevent malicious data exfiltration or accidental data sharing.
· Prosody maintains a security breach response plan to respond to data breaches promptly and effectively.
PHYSICAL AND WORKSTATION SECURITY
· 24-hour manned security on-premise with key card access.
· 24-hour video surveillance.
· All workstations enforce full-disk encryption and lock session based on inactivity timeout.
· All workstations have anti-malware software.
· Operating system and software security updates are pushed at regular intervals.
· Web browsing activity is monitored and access to malicious websites is blocked.
COMPLIANCE AND AUDIT
· Prosody retains external regulatory advisory and legal counsel to consult and advise on privacy and security rules and regulations, as well as best practices.