UPRISE PRIVACY AND SECURITY POLICIES
Privacy & Security
Last Updated: September 2017
Given the nature of Uprise’s core business, providing online health interventions, it is critical that the privacy and security of all data is maintained. This document outlines the steps Uprise takes, both technically and operationally, to ensuring all client data is safe, secure, and confidential.
For further questions, please email me (firstname.lastname@example.org).
Mark Santoso (CTO, Uprise)
1. What Data Does Uprise Collect?
All participants, regardless of their enrolled program stream, provide the following information:
Basic personal information
- First and last name
- Email address (work or personal – at the participant’s discretion)
- Mobile phone number
Protected health information (hereby ‘PHI’):
- Standard psychological assessments (WHO-5, PSS, ORS)
- Uprise proprietary measures of wellbeing
During coaching calls with Uprise clinicians, participants will typically disclose information about themselves that is not considered PHI, but is nevertheless confidential in nature.
2. Where is Data Stored?
All data is stored on Amazon Web Services (AWS), in the Sydney availability zone (hereby ‘Uprise data centre’). Uprise uses the following AWS services:
Elastic Cloud Compute
Elastic Container Service
RDS for PostgreSQL
Basic personal information, as defined in Section 1, is duplicated across the following service providers:
o Purpose: Facilitating transactional emails and support interactions
with Uprise participants o Location: USA
Segment.io & Mixpanel
o Purpose: Providing Uprise with analytics on app behaviour and usage o Location: USA
o Purpose: Automated and manual email marketing campaigns o Location: USA (MailChimp region us.14)
PHI is never shared outside the Uprise data centre.
3. How Is the Uprise Data Centre Secured?
All data is stored at-rest in a relational database (PostgreSQL), encrypted use the industry standard AES-256 encryption algorithm.
In-transit data is encrypted over HTTPS. Uprise uses the Let’s Encrypt Certificate Authority, a global authority that issues us with a new SSL certificate every 90 days. Connections to the Uprise app (https://app.uprise.co, hereby ‘App’) and Uprise’s proprietary patient management software (https://crm.uprise.co; hereby ‘CRM’) use a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_256_GCM).
4. Who Has Access to Uprise Data?
Uprise enforces strict access controls for its internal employees to ensure data confidentiality for clients, and a copy of these controls (Uprise’s Access Control Policy) is available on request.
Furthermore, physical controls are in place to ensure data is only accessible by Uprise employees. Uprise’s office is secured by a centralised electronic swipe card system; all staff computers are protected by automatic password time-outs after 5 minutes of inactivity; and full disk encryption is enforced on company and personal devices where possible.
PHI is never accessible by anyone other than a participant’s clinician, and is inaccessible from outside the CRM.
5. Who Has Access to Uprise’s Data Centre?
Uprise’s Data Centre is accessible only by Uprise’s Chief Technical Officer, Mark Santoso (email@example.com). Access is protected by public/private key pairings, stored on an encrypted hard drive.
6. How Long Will Uprise Persist Collected Data?
Uprise holds on to client data for seven years, in alignment with standard practices among healthcare and psychological professionals. This seven-year period ensures Uprise can fulfil its duty-of-care obligations to look after all participants. Although we highly recommend against doing so, this period can be adapted to suit your requirements.
7. Has Uprise Completed Any External Assurances?
Uprise has completed an ISO 27002 self-assessment, passing 80% of the standard’s best practices. Full ISO 27001 certification is currently slated for early 2018. Uprise is additionally evaluating ISO 27017/18 (controls for cloud services), which if pursued will supplement ISO 27001.
As a requirement for expansion to the United States, Uprise is working on HIPAA/HITECH compliance (which includes ISO 27001 certification).
Uprise follows a shared responsibility model (https://aws.amazon.com/compliance/shared-responsibility-model) with AWS. Uprise manages the security of data stored within AWS’s cloud infrastructure (our efforts are outlined in Sections 3-5); and security of the infrastructure itself is handled by AWS. Various ISO certifications and SOC assurances of AWS’s cloud infrastructure are provided by AWS, and are available on request.
8. Does Uprise Perform Regular Security Reviews?
Uprise conducts a yearly review of its security and privacy efforts. We plan to hold yearly penetration tests starting in 2018.
9. How Often Does Uprise Deploy Patches to Its Infrastructure?
All employee workstations run macOS 10.12 or Windows 10, which include the most recent security patches and anti-virus definitions. Servers run the latest version of Amazon Linux AMI. Open-source libraries and package managers associated with our application are patched daily during production builds.
10. Does Uprise Hold Backups? How Does Uprise Handle Emergency Situations?
Daily snapshots of the Uprise Data Centre are taken using Tarsnap, and stored in the AWS Glacier service to ensure accessibility during rare instances in which AWS’ standard Sydney availability is down.
Snapshot restoration is tested on a regular basis, to ensure backups are reliable and not corrupt. The last snapshot restoration test was conducted in July 2017.
Uprise’ Incident Management Policy and Business Continuity Plan are both available on request.