UPRISE PRIVACY AND SECURITY POLICIES
Privacy & Security
Last Updated: July 2018
Given the nature of Uprise’s core business, providing online health interventions, it is critical that the privacy and security of all data is maintained. This document outlines the steps Uprise takes, both technically and operationally, to ensuring all client data is safe, secure, and confidential.
For further questions, please email me (email@example.com).
Mark Santoso (CTO, Uprise)
1. What Data Does Uprise Collect?
All participants, regardless of their enrolled program stream, provide the following information:
Basic personal information
- First and last name
- Email address (work or personal – at the participant’s discretion)
- Mobile phone number
Protected health information (hereby ‘PHI’):
Assessments of wellbeing, stress, absenteeism, presenteeism, work performance, employee engagement, demographics and feedback about the Uprise program.
During coaching calls with Uprise clinicians, participants will typically disclose information about themselves that is not considered PHI, but is nevertheless confidential in nature.
Data We Collect - Full List
Wellbeing (World Health Organisation Wellbeing Scale)
Over the past two weeks I have felt cheerful and in good spirits
Over the past two weeks, I have felt calm and relaxed.
Over the past two weeks, I have felt active and vigorous.
Over the past two weeks, I woke up feeling fresh and rested.
Over the past two weeks, my daily life has been filled with things that interest me.
Stress (Perceived Stress Scale)
In the last week, how often have you felt that you were unable to control the important things in your life?
In the last week, how often have you felt confident about your ability to handle your personal problems?
In the last week, how often have you felt that things were going your way?
In the last week, how often have you felt difficulties were piling up so high that you could not overcome them?
PSYCAP (Psychological Capital Scale)
I can think of many ways to reach my current goals at work.
The future holds a lot of good in store for me at work.
When I'm in a difficult situation at work I can usually find my way out of it.
I can remain calm when facing difficulties at work because I can rely on my coping abilities.
Return on Investment (Harvard Work Performance Questionnaire)
How many days in the last week did you miss work due to mental or physical health reasons (e.g. stress, fatigue, illness)?
On how many days in the last week did you feel so impaired by stress, that even though you went to work, your productivity was reduced?
On these days when you went to work feeling stressed, what percentage of your time were you as productive as usual?
On a scale from 0 to 10, where 0 is the worst job performance anyone could have at your job and 10 is the best performance anyone could have, how would you rate your overall job performance on the days you worked in the past 4 weeks?
Employee Engagement (Net Promoter Score + Adapted Harvard Work Performance Questionnaire)
How likely are you to recommend your company to a friend as a great place to work?
On how many days in the past week have you felt so stressed or frustrated with work that you considered changing jobs?
Were you considering leaving your company but changed your mind as a result of getting support via Uprise?
In the past week, to what extent have you felt supported by your company?
In the past week, to what extent have you felt supported by your manager?
In the past week, how united has your team been in trying to reach its goals for performance?
Are any of the following making it hard for you to work effectively right now? Select from a list of 13 possible answers (e.g. 'overloaded with work')
Sleep (Pittsburgh Sleep Quality Index)
Please rate the quality of your sleep over the last week.
What is your gender?
What is your age?
Which of these best describe the type of work you are involved with?
Which of these best describe your position? (Senior management, middle management, operation level)
How many hours did you work in the last week?
How would you rate Module 1 (Mindset)
How would you rate Module 2 (Balance)?
How would you rate Module 3 (Mindfulness)?
How would you rate Module 4 (Stress Management)?
How would you rate Module 4 (PerspectiveTaking)?
How would you rate Uprise Overall?
How would you rate your Uprise coach?
Would you recommend Uprise to a friend?
If you could change something about the Uprise program, what would it be?
2. Where is Data Stored?
All data is stored on Amazon Web Services (AWS), in the Sydney availability zone (hereby ‘Uprise data centre’). Uprise uses the following AWS services:
Elastic Cloud Compute
Elastic Container Service
RDS for PostgreSQL
Basic personal information, as defined in Section 1, is duplicated across the following service providers:
o Purpose: Facilitating transactional emails and support interactions
with Uprise participants o Location: USA
Segment.io & Mixpanel
o Purpose: Providing Uprise with analytics on app behaviour and usage o Location: USA
o Purpose: Automated and manual email marketing campaigns o Location: USA (MailChimp region us.14)
PHI is never shared outside the Uprise data centre.
3. How Is the Uprise Data Centre Secured?
All data is stored at-rest in a relational database (PostgreSQL), encrypted use the industry standard AES-256 encryption algorithm.
In-transit data is encrypted over HTTPS. Uprise uses the Let’s Encrypt Certificate Authority, a global authority that issues us with a new SSL certificate every 90 days. Connections to the Uprise app (https://app.uprise.co, hereby ‘App’) and Uprise’s proprietary patient management software (https://crm.uprise.co; hereby ‘CRM’) use a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_256_GCM).
Uprise uses Amazon web services data centres to host and store our data.
Core applications are deployed to an N+1 standard, so that in the event of a data centre failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
The IT infrastructure that AWS provides to Uprise is designed and managed in
alignment with security best practices and a variety of IT security standards,
• SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
• SOC 2
• SOC 3
• FISMA, DIACAP, and FedRAMP
• DOD CSM Levels 1-5
• PCI DSS Level 1
• ISO 9001 / ISO 27001
• FIPS 140-2
• MTCS Level 3
4. Who Has Access to Uprise Data?
Uprise enforces strict access controls for its internal employees to ensure data confidentiality for clients, and a copy of these controls (Uprise’s Access Control Policy) is available on request.
Furthermore, physical controls are in place to ensure data is only accessible by Uprise employees. Uprise’s office is secured by a centralised electronic swipe card system; all staff computers are protected by automatic password time-outs after 5 minutes of inactivity; and full disk encryption is enforced on company and personal devices where possible.
PHI is never accessible by anyone other than a participant’s clinician, and is inaccessible from outside the CRM.
5. Who Has Access to Uprise’s Data Centre? how is premise security at the data centre maintained?
Uprise’s Data Centre is accessible only by Uprise’s Chief Technical Officer, Mark Santoso (firstname.lastname@example.org). Access is protected by public/private key pairings, stored on an encrypted hard drive. Please visit https://aws.amazon.com/compliance/data-center/controls/ for comprehensive details on physical security at AWS data centres.
6. How Long Will Uprise Persist Collected Data?
Users personal data is removed from production systems, but a backup copy may remain, snapshots are retained for seven years as this is a record keeping requirement for psychologists (See Section B.2. https://acpa.org.au/wp-content/themes/hueman-child/docs/APS-Code-of-Ethics.pdf). Backups are only used for restoring a technical environment, and data subject personal data is not processed again after restore (and deleted again).
7. Has Uprise Completed Any External Assurances?
Uprise has completed an ISO 27002 self-assessment, passing 80% of the standard’s best practices. Full ISO 27001 certification is currently slated for early 2018. Uprise is additionally evaluating ISO 27017/18 (controls for cloud services), which if pursued will supplement ISO 27001.
As a requirement for expansion to the United States, Uprise is working on HIPAA/HITECH compliance (which includes ISO 27001 certification).
Uprise follows a shared responsibility model (https://aws.amazon.com/compliance/shared-responsibility-model) with AWS. Uprise manages the security of data stored within AWS’s cloud infrastructure (our efforts are outlined in Sections 3-5); and security of the infrastructure itself is handled by AWS. Various ISO certifications and SOC assurances of AWS’s cloud infrastructure are provided by AWS, and are available on request.
8. Does Uprise Perform Regular Security Reviews?
Uprise conducts a yearly review of its security and privacy efforts.
9. How Often Does Uprise Deploy Patches to Its Infrastructure?
All employee workstations run macOS 10.12 or Windows 10, which include the most recent security patches and anti-virus definitions. Servers run the latest version of Amazon Linux AMI. Open-source libraries and package managers associated with our application are patched daily during production builds. For Uprise apps, Uprise uses AWS systems manager – patch manager to define the baseline rules for automated patching. We use amazons default patch baselines which automate patches for all ‘Critical’ and ‘important’ categorised security patches and ‘All’ bugfix patches.
10. Does Uprise Hold Backups? How Does Uprise Handle Emergency Situations?
Daily snapshots of the Uprise Data Centre are taken using Tarsnap, and stored in the AWS Glacier service to ensure accessibility during rare instances in which AWS’ standard Sydney availability is down.
Snapshot restoration is tested on a regular basis, to ensure backups are reliable and not corrupt.
If an incident occurs, all relevant parties will be notified as soon as possible. The full Uprise Incident Management Policy is available on request.
11. How Do Employees Opt-in & Give Consent
Uprise can guarantee uptime of 95%. Uprise reserves the right to routinely do maintenance on production application where the application will be non usable for a period of time.
13. Connection Speed
Uprise data centres provide a maximum bandwidth of 25 Gbps
14. Ownership of Information
Uprise retains ownership rights for data. We occasionally create research reports and marketing materials that discuss our outcomes. Uprise doesn’t publish data in any way that would identify our customer’s organisation, its employees or associates without prior written permission. Information is not shared with any third party, unless the company enters into a partnership with their health insurance provider to provide Uprise together with other services with the health insurer.
15. Uprise Access to Your Company's Data
Uprise does not require access to your company’s data or technology systems.
16. DOES UPRISE HAVE AN APP AS WELL AS A WEBAPP?
Both iOS and Android applications are available for download via the respective app stores, as well as the Uprise web-app via login from the Uprise website. The Uprise mobile apps can be downloaded from the relative app stores. Users can login using the same account they used when registering on the web app.
17. What is the password policy for Uprise? Do you enforce creation of strong password?
Uprise enforces use of a 10 character password. Uprise does not enforce 2FA for user passwords.
18. Do you have an IaaS or PaaS with Amazon?
IaaS through Amazon ec2 instances.
19. Where is the Uprise Database and all other services (e.g. OS, middleware, web app, etc) hosted?
Database is hosted by AWS RDS. OS, middleware, web app is hosted on AWS ec2. The database used with Uprise is an AWS RDS instance running PostgreSQL, it stores all the user data
20. If a third-party requests information (e.g. new partnership, government request, insurer request), will you inform or ask permission before providing it?
Your organisation will be consulted and permission required before third-party access to data or information is granted.
21. How does Uprise maintain compliance for international data acts using AWS compliancy and policies?
AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance about ISO 27002 controls that is applicable to personally identifiable information (PII) processed by public cloud service providers. Uprise refers to publically available information from Amazon (https://d1.awsstatic.com/whitepapers/compliance/Using_AWS_in_the_context_of_Common_Privacy_and_Data_Protection_Considerations.pdf) to determine our compliance with data security acts in each country that we operate.