Data Security

Last Updated: July 25, 2020

We are committed to protecting your personal data and the personal data of your clients. We have implemented several security measures to keep your data safe. The following information highlights some of these measures.

Cloud-based Service

LabSmarts is a cloud-based service hosted entirely on Amazon Web Services (AWS). All of your data is stored on AWS servers located within the United States.

Regulatory Compliance

We are fully compliant with HIPAA and GDPR regulations.

We have a Business Associate Addendum (BAA) with AWS relating to our HIPAA compliance that is available upon request. Contact us if you have specific concerns about regulations outlined by your governing body.

We have a Data Processing Agreement (DPA) with AWS relating to our GDPR compliance that is available upon request. See the GDPR section in the Privacy Policy for more information. Contact us if you have specific concerns about GDPR compliance.

The section below shows our approach to meeting key regulatory compliance needs.

Need

Our Approach

Encryption of Data at Rest

We encrypt and store all data on our servers, including logs and backups, using AES 256-bit encryption.

Encryption of Data in Transit

We use AES-256 bit encryption while transferring your data to/from our servers along with TLS 1.2 to encrypt your data both between your browser and our servers and between our servers and other internal networks.

Physical Security

AWS is an SSAE 18 provider that utilizes industry-leading security tools, and best practices for managing and maintaining the security of the servers that store your data.

Monitoring

All network requests, successful and unsuccessful, are logged.

Auditing

All log data is encrypted and unified, enabling secure access to full historical network activity records.

Vulnerability Scanning

Network and host assessments are run weekly to check for security exposures and vulnerabilities.

Backups

All data is backed up daily. Thirty (30) days of rolling backups are retained.

Minimum Necessary Access

Access controls always default to no access unless overridden manually.

PCI Compliance

Payments processed through our website are done in a PCI compliant manner. We process subscription payments via Stripe, which is a PCI Level 1 Service Provider.

Learn more about Stripe’s PCI compliance: https://stripe.com/docs/security

Security of Your Password

Browser Password Security. We do not persist your password in your browser’s cache. We use secure cookies with limited lifespans. You will be asked to re-enter your login credentials if your session is idle for the allotted timeout period.

Password Storage. We do not store your password in plain text. Your password is encrypted, and only you know what it is. If you forget your password, you will have to reset it from the sign in page.

Suggestions for Keeping Your Account Secure.

  • Never share your username or password with anyone. It is against our policy to share your account information and have anyone other than you using your account.
  • Always sign out when you are finished using the service.
  • Choose a strong password that follows our password strength policy of at least 8 characters minimum length, 1 number, 1 special character, 1 uppercase letter, and 1 lowercase letter.

Contact Us

If you have general inquiries, questions, concerns, or comments about this Data Security Policy, please contact us using the contact form below.