Security Measures- Hardware, Software, Processes, Procedures and Maintenance

CustomerData

Privacy of customer data is our top concern, and is one of the primary reasons we built our entire platform from scratch. We limit access of customer files only to the specific typist working on a particular file, and to the proof readers that audit the files.

Company uses SSL encryption when sending and receiving files over the Internet. Customer data is accessed over an encrypted SHA-2 SSL connection and requires both a unique username and password. Encryption creates a secure channel between the customer's web browser and the Company servers and prevents eavesdropping, message tampering and message forgery. Each customer, each transcriber, and each proof reader has their own username and password.

Files are processed either directly on company’s server or on the transcriber's computer, in which case they are deleted within 72 hours following completion of the assignment. In our backend, all intra-server communication across the open internet occurs over VPN and is encrypted using 1024 bit public/private keys.

Employee and Contractor Review

Prospective new transcribers and staff must navigate a labyrinth of requirements which include a review of their qualifications, extensive testing, background checks, and reference checks to ascertain level of honesty, integrity and reliability. Further, the transcribers must read and agree to comply with a myriad of agreements including Typist Handbook, Company Policies and Code of Ethics, Confidentiality Agreement, HIPAA Business Associate Agreement, and Disclosure and Authorization.

As an integral part of company’s ongoing security and confidentiality compliance procedures, each month, typists must acknowledge and swear, under penalty of perjury, that have complied with and still agree to all the terms outlined in the above agreements.

Credit Card Data

No one in the company has customer credit card data, as this is encrypted and stored with a third-party provider called Chargify. Chargify has attained Level 1 PCI compliance, which is the highest level of compliance with the payment card industry’s security standards for credit card data. This is the same level as banks and payment gateways. PCI Level 1 means that Chargify has been audited by an outside firm and found to meet or exceed their standards for data storage, employee background checks, processes for updating programs, etc. Chargify ensures all your communications and data are secure based on stringent security guidelines.

HIPAA Compliance

We are a HIPAA compliant transcription provider, authorized to process files with private medical data. This is strong evidence of our attention to detail when it comes to security.

Safeguarding our customer's data, including Protected Health Information (PHI), is a top priority. Our privacy & security policies and procedures adhere to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Our Full HIPAA Statement is available upon request. Our Business Associate Agreement is online at HIPAA_Business_Associate.pdf

General System Architecture and Topology

Our system is completely in the cloud, virtualized and redundantly load balanced using DNS failover and Nagios IP monitoring. Nagios monitors our entire IT infrastructure to ensure systems, applications, services, and business processes are functioning properly. In the event of a failure, Nagios alerts our technical staff of the problem, allowing us to immediately begin the remediation process.

Our servers are hosted in Softlayer's data center in Dallas, Texas, and all aspects of our platforms are fully password protected, with no access to data by the transcribers and limited access by supervisors. Our Softlayer data center has biometric security requirements, oversized fire protection, and large backup power installations which are tested regularly. Our data center is hardened against physical intrusion, and server room access is limited to certified employees. All of Softlayer’s controls (inside and outside the data center) are vetted by third-party auditors, and they provide detailed reports for their customers' own security certifications. The most sensitive financial, healthcare, and government workloads require the unparalleled protection SoftLayer provides. Softlayer’s security precautions are outlined in more detail at www.softlayer.com/facilities/data-center-overview

Deployment of Code Changes

Since we are a web based service, most code enhancements occur behind the scenes and do not affect the customer. We use a continuous integration approach to development, supported by peer review of code and automated testing on our development server to ensure that each change is completely stable before releasing it.

Our API commands have never changed since launch and any time we release a new API, we keep the deprecated commands live so that all existing code will never break, employing backwards compatibility. Further, no frameworks need to be upgraded on customer’s side whenever we roll out a new feature.