We are committed to protecting your personal data and the personal data of your clients. We have implemented several security measures to keep your data safe. The following information highlights some of these measures.
Cloud-based Service
LabSmarts is a cloud-based service hosted entirely on Amazon Web Services (AWS). All of your data is stored on AWS servers located within the United States.
Regulatory Compliance
We are fully compliant with HIPAA and GDPR regulations.
We have a Business Associate Addendum (BAA) with AWS relating to our HIPAA compliance that is available upon request. Contact us if you have specific concerns about regulations outlined by your governing body.
We have a Data Processing Agreement (DPA) with AWS relating to our GDPR compliance that is available upon request. See the GDPR section in the Privacy Policy for more information. Contact us if you have specific concerns about GDPR compliance.
The section below shows our approach to meeting key regulatory compliance needs.
Need
Our Approach
Encryption of Data at Rest
We encrypt and store all data on our servers, including logs and backups, using AES 256-bit encryption.
Encryption of Data in Transit
We use AES-256 bit encryption while transferring your data to/from our servers along with TLS 1.2 to encrypt your data both between your browser and our servers and between our servers and other internal networks.
Physical Security
AWS is an SSAE 18 provider that utilizes industry-leading security tools, and best practices for managing and maintaining the security of the servers that store your data.
Monitoring
All network requests, successful and unsuccessful, are logged.
Auditing
All log data is encrypted and unified, enabling secure access to full historical network activity records.
Vulnerability Scanning
Network and host assessments are run weekly to check for security exposures and vulnerabilities.
Backups
All data is backed up daily. Thirty (30) days of rolling backups are retained.
Minimum Necessary Access
Access controls always default to no access unless overridden manually.
PCI Compliance
Payments processed through our website are done in a PCI compliant manner. We process subscription payments via Stripe, which is a PCI Level 1 Service Provider.
Learn more about Stripe’s PCI compliance: https://stripe.com/docs/security
Security of Your Password
Browser Password Security. We do not persist your password in your browser’s cache. We use secure cookies with limited lifespans. You will be asked to re-enter your login credentials if your session is idle for the allotted timeout period.
Password Storage. We do not store your password in plain text. Your password is encrypted, and only you know what it is. If you forget your password, you will have to reset it from the sign in page.
Suggestions for Keeping Your Account Secure.
Never share your username or password with anyone. It is against our policy to share your account information and have anyone other than you using your account.
Always sign out when you are finished using the service.
Choose a strong password that follows our password strength policy of at least 8 characters minimum length, 1 number, 1 special character, 1 uppercase letter, and 1 lowercase letter.
Contact Us
If you have general inquiries, questions, concerns, or comments about this Data Security Policy, please contact us using the contact form below.
