Infrastructure compliant with HIPAA, PIPEDA and GDPR requirements
In transit encryption of all data including audio/video (end to end) using AES256
HITRUST CSF aligned company policies and procedures
Built on AWS (SOC3 compliant, safe and secure)
Last updated on October 31, 2023
SimpleSet is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers in compliance with PIPEDA, HIPAA and GDPR. As providers of compliant, hosted infrastructure used by healthcare providers, SimpleSet strives to maintain compliance, to proactively address information security, to mitigate risk for its Customers, and to assure known breaches are completely and effectively communicated in a timely manner. The following page summarizes our compliance, security and privacy practices.
SimpleSet is hosted on AWS in the Canadian region. AWS data centers feature a layered security model for physical access. SimpleSet employees do not have physical access to AWS data centers, servers, network equipment, or storage.
SimpleSet is the assigned administrator of its infrastructure on AWS, and only designated authorized SImpleSet operations team members have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual environments, and keys are stored in a secure and encrypted location.
SimpleSet undergoes regular internal authenticated and non-authenticated penetration testing. Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities.
AWS undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. AWS maintains annual certifications including HITRUST certification, ISO27001 certifications and annual SOC3 attestations. SimpleSet performs yearly reviews of its third party vendor certifications.
Unusual network patterns or suspicious behavior are among SimpleSet’s most significant concerns for infrastructure hosting and management. SimpleSet and AWS intrusion detection and prevention systems (AWS Guard Duty) rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.
Every part of the SimpleSet service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
SimpleSet keeps daily encrypted backups of data in the AWS Canada region. In the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.
In the event of a region-wide disaster, SimpleSet maintains a redundant Disaster Recovery Plan in Canada hosted on Microsoft Azure.
All data in SimpleSet servers is encrypted at rest. AWS stores and manages data cryptography keys in its redundant and globally distributed Key Management Service.
Encryption at rest also enables continuity measures like backup and infrastructure management without compromising data security and privacy.
SimpleSet exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application.
SimpleSet retains data according to its Data Retention Policy. All customer data is maintained while they maintain a subscription with us. Should a customer discontinue service, SimpleSet permanently deletes its data after 6 months, and backups are expunged 60 days later.
In addition to password login, multi-factor authentication (MFA) provides an added layer of security to SimpleSet. We encourage MFA as an important step towards securing data access from intruders.
Clinic managers can also see which of their users have MFA enabled, or enforce MFA across the organization so users can vet their own organization’s security.
Users can configure automatic logoff settings to match their organizational policies.
User administration is central to security and management, and auditing user logs is often the first step in both an emergency response plan and policy compliance requirements. All SimpleSet clinic and enterprise managers are able to view audit logs including viewing or editing ePHI.
With Clinic or Enterprise subscriptions, clinician accounts are handled at the organization level. Each SimpleSet user should have their own account and can choose their own personal preferences and notifications settings. Access to organizations is dictated by the role of manager.
For any organization on a SimpleSet subscription, the manager portal is the hub for seeing and managing users and usage. The user list includes the username, email, status, added date, teams, and role for each user and other permissions.
In the audit log, all of the actions by user and event within the SimpleSet application (view client, create exercise program) are listed chronologically by time and IP address so you’ll always have a view into your organization’s most recent history.
SimpleSet practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request, continuous integration (CI), and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities.
At SimpleSet, we know good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. All company-provided workstations are enrolled in Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) solutions to enforce security settings including full-disk encryption, screen lock, and OS updates.
SimpleSet follows the risk management procedures aligned with HITRUST.
All SimpleSet product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on SimpleSet’s operations team have secure shell (SSH) access to production servers.
We perform testing and risk and change management on all systems and applications on a regular and ongoing basis. New changes are developed, reviewed, and deployed to production via pull request and internal review. New changes are documented and shared via staff presentations on lessons learned and best practices.
SimpleSet performs risk assessments throughout the product lifecycle per the standards outlined in HIPAA Security Rule, 45 CFR 164.308:
Before the integration of new system technologies and before changes are made to SimpleSet physical safeguards
While making changes to SimpleSet physical equipment and facilities that introduce new, untested configurations
Periodically as part of technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting security
The SimpleSet operations team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested for gaps and updated at least annually.
SimpleSet maintains an internal compliance management system, which includes a versioned repository of security policies, procedures and standards which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to SimpleSet enterprise customers upon request:
Access Management
Change Management
Data Request
Data Management
Information Security
Incident Response
Policy Management and Maintenance
Risk Management
Vendor Management
Vulnerability Management
SimpleSet conducts background checks for all new hires.
All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training.
All employees additionally complete security training at least once a year. Policies presented to employees as part of the onboarding process are reviewed once a year to ensure we are keeping up with best practices.
SimipleSet maintains an internal regular cybersecurity awareness training program.
SimpleSet follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events.
SimpleSet notifies customers of any data breaches as soon as possible via email, followed by multiple periodic updates addressing progress and impact.
SimpleSet maintains a Security Governance Policy, which gives a high level technical description of our security practices, including policy mapping to the HIPAA security rule.
Our Security Governance Policy can be viewed here: Security Governance Policy
Contact us for a copy of any additional reports or policies you’re interested in reviewing.
Our Privacy Policy can be reviewed here: Privacy Policy
Our Terms of Service can be viewed here: Terms of Service
Our Data Processing Addendum can be viewed here: Data Processing Addendum
To ensure that personal data you send SimpleSet is afforded the protections required by applicable data protection laws, SimpleSet offers a Data Processing Addendum that incorporates its data privacy commitments.