Please list the certifications your app provides.
HIPAA Business Associate Agreement (BAA)
Does your app provide audit logs for when users access data?
Yes – Administration section has an Audit tab with searchable log by date, user, client; it is tracking Create, View, Update, Delete operations.
Does your app provide audit logs for privileged admin activities?
Yes – included in the above, but not currently filter-able by privileged activities.
Does your app provider support role-based access control for privileged admin activity and/or access to sensitive data?
Yes – Administrators can extend initial roles with custom permission vector.
Does the app leverage encryption to protect billing and payment information during purchase?
Not applicable (no purchasing functionality).
Does your app encrypt sensitive data at rest (disk/storage)?
Yes – passwords are encrypted at rest.
Does the app leverage encryption to protect tenants/users identities and credentials during authentication?
Yes – during authentication all exchanges are encrypted.
Does the app’s website support HTTPS for all of its pages (i.e. not just authentication)?
Does your app provide support for sharing files/data with other tenants?
For security reasons, there is no support for sharing files or tenant-specific data.
Does your app provide reports and/or alerts for security breaches?
We are using a highly secure hosting provider and have mechanisms to protect against breaches, such as complex password requirement, 2FA and account locking after too many unsuccessful login attempts; however, a report and/or alert is not being generated at this time.
Does your app provide tenants with multifactor authentication options (digital certs, tokens, biometrics, etc.) for user access?
Yes – We use 2 Factor Authentication (2FA) with time-limited tokens.
Does your app provide tenant admins the ability to create strong password policies?
We have a strong password policy based on the NIST recommendations; this policy can’t be changed by tenant administrators.
Does your app retain customer data after they cancel their service?
Yes – By law we are required to maintain the data for 7 years.
Does your app support data backup in multiple locations/GEO regions?
Yes – we perform daily offsite backups with the ability to replicate to a different geographical location in case of a disaster.
Does your app provide the customer with option to specify which physical location and/or GEO region to store their tenant’s data?
Our servers are hosted in and replicated across highly secure locations within the United States; however, the tenants can’t specify the location of their data.
Here are all of the above questions and answers in pdf format:
15 Security Questions MedicalMime