Information Security

Last Updated: November 23, 2018.

iperceptions offers its solution in a SaaS model as an annual subscription with a web-based security login. The portal application, as well as all data at rest, are hosted in SSAE16-certified Tier-3 data centers located in Canada. A global network of cloud-based points of presence is also used for collecting transient data such as collection and clickstream data.

To ensure business remains uninterrupted, we operate under a 99.5% SLA availability commitment. Average monthly availability of 99.9% for the period of 2014 to 2018. Production systems are configured for high-availability and scalability with active 24/7 monitoring. We have a dedicated Online Operations Team that can be reached 24/7 through the Technical Emergency Hotline. The company also maintains a Business Continuity Plan (BCP).

Customer data is one of the most valuable assets our clients have. That is why our top priority is delivering a comprehensive, high-performance solution with a focus on keeping our customers’ data safe, their interactions secure, and their businesses protected.

Compliance and Certifications

Governance

iperceptions’ operations are governed by a formal Governance Risk and Compliance (GRC) Information Security program, with documented Information Security and Privacy policies. Our security guidance is aligned with the HITRUST CSF, a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. 

Developed in collaboration with information security professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security framework. Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements.

By continuing to improve and update the framework, the HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. This commitment and expertise demonstrated by HITRUST ensures that organizations leveraging the framework are prepared when new regulations and security risks are introduced.

Policies

We have Information Security policies in place that cover the following areas: Compliance, User Training, Personnel Screening, Code of Conduct, Logical Access, Network Security, Incident Response Handling, Information Systems Development and Maintenance, Information Governance, Information Exchange, Encryption Management, Audits & Reviews and Hosting Security. Information Security policies are formally acknowledged by employees and suppliers and training is provided yearly. Regular assessment reviews of our suppliers’ Information Security posture are conducted and documented.

Physical security

iperceptions’ virtual and physical servers are hosted at Tier III, SSAE-16 Type II Certification and SOC II Type II Certification compliant facilities. Our facilities feature 24-hour manned security, biometric access control, video surveillance, and physical locks. The co-location facilities are powered by redundant power, each with UPS and backup generators. All systems, networked devices, and circuits are constantly monitored by both iperceptions and the co-location providers. The latest compliance reports can be made available for review upon request.

Network security 

Our network is protected by redundant ICSA-certified layer 7 firewalls, best-of-class router technology, regular audits, network and application layer DoS protection and correlated multi-layer threat scanning that monitors for malicious traffic and network attacks. Appropriate logs and automatic alerts are maintained on all network systems.

Transmission security

All sensitive communications with iperceptions servers are encrypted using industry standard Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, and mitigates eavesdropping and spoofing between mail servers. VPN connection is only attributed on a needs basis, and employees use a VPN with token-based two-factor authentication to connect with our systems. For email, our product supports and prefers the latest iterations of TLS. Automated transmission of data files and deliverables are performed through secure FTPS, SFTP or HTTPS.

Access control 

All access to data within iperceptions is governed by access rights and authenticated by username and password. Our security architecture ensures need to know segregation of customer data. Additional access controls include network IP restrictions. Iperceptions’ Online Operations Team, as well as specific members of our Development Team, are the only individuals with access to iperceptions’ servers and production databases. Other iperceptions employees do not have access to iperceptions’ production servers.

Application security

iperceptions’ SaaS platform follows industry best practices on secure credential storage by storing hashed and salted passwords. iperceptions’ SaaS platform supports task-based granular access privileges and configurable authentication settings for the duration of session inactivity time-outs, password length, complexity, expiry, and limited number of retries. iperceptions’ SaaS platform maintains a robust application audit log, to include security events such as user logins or configuration changes.

We sub-contract yearly manual application penetration tests.

Data Security

Archived data and backups are treated with the same level of care as active data. Access to backups and to the restoration process are restricted. We maintain a disposition processes for records and media. Hard copy media, such as paper, are shredded and or destroyed beyond reconstruction. All data storage is properly sanitized before destruction or redeployment.

Incident management

We maintain a process that enforces notification to the affected customer within twenty-four (24) hours of an incident related to the security of information that likely or effectively resulted in wrongful access to data. Security incidents include the following: unauthorized physical access or breach, unauthorized logical access or breach, malware, DoS, breach of confidentiality, systems access by an employee or contractor without appropriate clearance for such access or who otherwise use the systems inappropriately. Clients will be notified of the approximate date and time of the incident. They will also be provided with a summary of all relevant facts as well as of actions taken to rectify the processes and any negative impact from the incident.

Privacy

iperceptions’ privacy policy is published on its website. The policy identifies the information gathered, how it is used, with whom it is shared, and the customer’s ability to control the dissemination of information.

To deliver its services, iperceptions must collect certain user information, including first/last name, email address and account level passwords for accessing iperceptions’ SaaS platform. Unless expressly authorized, iperceptions will not disclose this confidential information to any third party or use this information in any manner other than to deliver the agreed upon services. With its users’ express consent, iperceptions sends service update messages to its users at the email addresses they provided when requesting the service. 

iperceptions uses cookies and session storage on its customers’ visitors’ browsers as well as on SaaS portal end-users’ browsers. Cookies and session storage items may at times hold a generated unique number but never contain any personally identifiable information or sensible information such as passwords. Deleting cookies will not be detrimental to the user-experience of visitors, respondents, end-users, or the proper working of iperceptions products. We provide detailed and transparent documentation about how cookies and session storage are used.

Contact Us

We welcome any further questions, are happy to provide clarifications when needed, and are open to audits by our customers. Please contact legal@iperceptions.com for more information.