Your data and our system security are incredibly important to us. That's why we implement the following security protocols to keep your data safe.
DATA SECURITY, SYSTEM AND PRIVACY FAQS
What types of secure data are being stored or transmitted?
At Aclaimant we believe that all of our users' data should be considered secure data. We secure our users' data by ensuring it is encrypted during transmission by mandating SSL.
Is secure data encrypted at rest on network?
Yes. Our users’ sensitive data is encrypted by our application before reaching the database. Our users' data is stored in databases that are available to our applications on the internet. We require secure and encrypted connections to our databases to store and retrieve any kind of data.
Is secure data encrypted in transit within and outside of network (File transmittals/emails)?
Yes, all data between databases, application servers and client applications is encrypted during transmission using SSL. Additionally, we require encrypted connections to any third-party APIs we deal with including those dealing with emails.
Is secure data encrypted on backup media?
Aclaimant's database infrastructure is hosted in a variety of datacenters in order to ensure the fastest and most secure transmission of data between platforms.
Access to any of these systems requires a secure connection. Our infrastructure partners hold one or more of the following accreditations: ISO 27001, SSAE16 SOC-1 Type II/ISAE 3402, SOC 2 - Security, SOC 3, PCI Level 1 and FISMA moderate.
Is secure data always sent using secure methods?
Yes, the security of our users' data is paramount and therefore we never transmit data in an unsecure fashion.
How do you ensure data security with your partners and vendors?
We consider our infrastructure to be extremely secure. However, as we have a number of industry partners that have integrations into the Aclaimant system and once the data has securely transferred our system to their, we can no longer control the security of the data.
Before any integration is started, we audit the data they need to minimize the amount of data being transferred out of our system. We routinely perform this audit.
In addition, our users data will never be shared with a vendor or third party integration without their knowledge or consent.
What security measures are in place to protect secure data and prevent data breaches?
In addition to the above mentioned - we have the following in place to ensure safe and secure data and prevent breaches:
- Secure Token Based Authentication
- Constant System Monitoring
- Continuous Security Updating and Patching
- Usage of Firewall
- Best in class vendor selection (AWS, Heroku, etc.)
What is the process if a data breach occurs?
- After a breach is found, affected clients will be alerted within 3 business days of Aclaimant becoming aware of a breach
- We will alert key client contact, and any other requested individuals
- Please alert your account representative or the data breach contact listed above by phone and/or email.
- Aclaimant carries Cyber and Privacy insurance for the following occurrences:
- Cyber Liability
- Privacy Liability
- Privacy Breach and Notification
- A copy of our policy is available upon request
If a breach does occur the following services will be available to employees whose data has been compromised:
1. Notification - Aclaimant to send affected individuals notification that their information was compromised
2. Explanation - Aclaimant to send affected individuals a letter explaining what information was involved in the compromise
3. If Aclaimant does not have affected individual's contact information, we will send materials/information to key client contact for distribution to affected parties.
Users are authenticated using secure single-use tokens generated by our system when the user attempts to login. The user submits their email address or phone number on our login page. We generate a single-use secure token set to expire in 60 minutes and send it to the user over email or SMS. The user receives this token and enters it on the login page. The system checks that the user login (email address or phone number) matches the supplied secure token, if so the user is authenticated and a user session is created. All data transmission including authentication occurs over SSL (HTTPS).
All authenticated users are limited in what they are able to access based on their role and the organizations they are allowed to access.
Our API ensures that resources are only available to users that are allowed to have access to them. If a user session is not available, the user is required to login before accessing any resources. If there is a session available, it is used to limit access to the resource based off of the user’s role, their organization and even permissions based on the resource itself. Resource access permissions (read, create, modify) are based on the user’s role and rules of each resource that determine who can perform actions against it.
DATA BREACH PROTOCOL DOCUMENTATION
How to Report a Security Problem To Aclaimant
If you feel the issue is urgent or has some sensitive element involved, please send your report directly to client representative contact. If your issue isn't urgent or sensitive, you should submit a support request where it will be handled through our normal support processes.
How We Manage Security Issues
Issues submitted or breaches identified will be:
Aclaimant will reach out to let you know of the best way to track an issue and monitor it’s status
Aclaimant will investigate the issue and understand how it impacts our system. We won’t disclose the completed report until our investigation is completed and our team has corrected the issue or vulnerability. We will work with the affected clients so that all involved parties understand the issue.
Aclaimant will notify impacted clients and users as identified above. Users with compromised data will be alerted of data issues within 3 business days of Aclaimant being made aware of an issue and an investigation being completed. Individuals whose information has been compromised shall be notified consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
The breach notification will provide a brief description of the security breach, a contact for inquiries, and helpful references to individuals regarding identity theft and fraud.