Documentation – all documentation (policies and procedures that make up our security and compliance program) is stored and versioned using Google Docs.This plan also applies to customers, and they inherit this from us. Disaster Recovery – Jotform has an audited and regularly tested disaster recovery plan.Seven (7) days of rolling backups are retained. Backup – all customer data is backed up every 24 hours.Intrusion Detection – all production systems have intrusion detection software running to proactively detect anomalies.Vulnerability Scanning – all customer and internal networks are scanned regularly for vulnerabilities.To gain full access to Jotform systems, users must log in via 2-factor authentication through VPN, authenticate to the specific system as a regular user, and upgrade privileges on the systems temporarily as needed. All API access must first pass through Jotform AWS firewalls. Minimum Risk to Architecture – secure, encrypted access is the only form of public access enabled to servers.Auditing – all log data is encrypted and unified, enabling secure access to full historical network activity records.OSSEC is used for IDS and file integrity monitoring. Additionally, alerts are proactively sent based on suspicious activity. API PHI requests (GET, POST, PUT, DELETE) log the requestor, location, and data changed/viewed. Monitoring – all network requests, successful and unsuccessful, are logged, along with all system logs.Additionally, all platform customers have a dedicated overlay network (subnet) for additional network segmentation.
PHI Segmentation – all customer data is segmented.System Access Tracking – all-access requests and changes of access, as well as approvals, are tracked and retained.Minimum Necessary Access – access controls always default to no access unless overridden manually.Log data is also encrypted to mitigate the risk of ePHI stored in log files. Encryption – all data is encrypted in transit, end to end, and at rest.As a lead-in, below is a high-level summary of our major architecture, our guiding principles, and how it maximizes our security. In an effort to be transparent, we go into a good amount of detail on this page.
0 kommentar(er)
