Security
Privacy & Security at Simply.Coach
With great trust comes great responsibility!
Protecting your data
HIPAA has three rules that protect patient health information:
1) The Privacy Rule: Protects “individually identifiable health information” (PHI) in any form, including electronic, paper, or oral.
2) The Security Rule: Protects patient health information.
This means increased trust for your practice among prospective clients!
GDPR compliance requires meeting the requirements for handling personal data as defined in the General Data Protection Regulation (GDPR). It is a binding regulation that was created by the European Union to regulate how organizations collect, handle, and protect the personal data of EU residents
With Simply.Coach’s GDPR compliance, clients have greater control over how their data is collected, processed, and used. Compliance with GDPR principles such as data minimization, transparency, and consent ensures that clients’ personal information is handled ethically and lawfully.
SOC 2, or Service Organization Control Type 2, is a voluntary cybersecurity framework that assesses an organization’s information systems for security, availability, processing integrity, confidentiality, and privacy.
SOC 2 compliance standards include:
1) Security: Protecting information and systems from unauthorized access
2) Availability: Maintaining infrastructure, software, and information
3) Processing integrity: Ensuring systems perform as intended
Because Simply.Coach is SOC2-compliant, your clients can rest assured that their data is processed and stored securely. It involves rigorous auditing of internal controls, risk management practices, and data protection measures, giving clients confidence in the reliability and trustworthiness of the service provider. With Simply.Coach’s SOC2 compliance, you avoid any risks associated with data breaches, downtime, or inadequate security measures.
- We use AWS (Amazon Web Services), the worlds #1 trusted hosting partner.
- Our dedicated clusters are deployed in a unique Virtual Private Cloud (VPC) with dedicated firewalls.
- Database Access is restricted to our production application server through a secure tunnel. No one (including our engineers) has access to the data.
- Access to our platform is secured by a SHA 256-bit encryption with 2048-bit key-strength for data access. This means that all your data is encrypted the moment it leaves your computer and is securely uploaded to our servers.
- All network traffic is encrypted using Transport Layer Security (TLS)
- Encryption for data at rest is automated using encrypted storage volumes
Our platform comes built-in with role-based access through IAM that enforces segregation of duties so that data is only shown to the user who has valid access rights in place.
- Passwords are protected with hashed salts; which means no one (including us) can see your password.
- Accounts are automatically locked after 5 failed attempts
- Password reset links are valid only for 6 hours
Secure Product Development
Access to the production environment is restricted with a private key locked to our founder’s device. No one else has access to the production environment.
- Our product roadmap is reviewed periodically, security fixes are prioritised and are bundled in the earliest possible sprint.
- All changes are tested by the Quality Assurance team, and criteria is established for performing code reviews, web vulnerability assessment, and advanced security tests.
- Builds are put through stringent functionality tests, performance tests, stability tests, and UX tests before the build is certified “Good to go”.
- Source Code is managed centrally with version controls, and access is restricted based on various teams assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.
Highly Resilient Architecture
We automatically distribute application traffic across multiple availability zones that support high availability, auto-scaling and robust security.
We have near real-time backups taken across multiple availability zones in encrypted and access-controlled containers.
We have procedures established for reporting incidents, and tracking it for timely communication, investigation, and resolution.
We use Cloudfront (a global leader) as our CDN partner to distribute service spatially relative to end-users to provide high availability and high performance
Frequently Asked Questions
Since these are confidential documents, the reports are accessible on request for our Leap & Surge customers after signing an NDA
Yes we certainly do. Please reach out to our help desk and we will share the BAA signatures with you.
Take Simply.Coach for a spin!
Explore its possibilities for your business