Data Security

Last Updated: April 12, 2025

We are committed to protecting your personal data and the personal data of your clients. We have implemented several security measures to keep your data safe. The following information highlights some of these measures.

Cloud-based Service

LabSmarts is a cloud-based service hosted entirely on Amazon Web Services (AWS). All of your data is stored on AWS servers located within the United States.

Regulatory Compliance

LabSmarts maintains compliance with HIPAA regulations through internal policies, secure infrastructure, and a signed BAA with AWS.

Access to protected health information (PHI) is granted only to authorized personnel and is governed by internal access controls and training protocols.

LabSmarts has an active Business Associate Agreement (BAA) with Amazon Web Services (AWS) to ensure HIPAA-aligned handling of all stored and transmitted data.

We have a Data Processing Agreement (DPA) with AWS relating to our GDPR compliance. See the GDPR section in the Privacy Policy for more information.

In the event of a data breach, LabSmarts follows HIPAA’s Breach Notification Rule and will notify affected parties as required by law.

The section below shows our approach to meeting key regulatory compliance needs.

Need

Our Approach

Encryption of Data at Rest

We encrypt and store all data on our servers, including logs and backups, using AES 256-bit encryption.

Encryption of Data in Transit

We use AES-256 bit encryption while transferring your data to/from our servers along with TLS 1.2 to encrypt your data both between your browser and our servers and between our servers and other internal networks.

Physical Security

AWS is an SSAE 18 provider that utilizes industry-leading security tools, and best practices for managing and maintaining the security of the servers that store your data.

Monitoring

All network requests, successful and unsuccessful, are logged.

Auditing

All log data is encrypted and unified, enabling secure access to full historical network activity records.

Vulnerability Scanning

Network and host assessments are run weekly to check for security exposures and vulnerabilities.

Backups

All data is backed up daily. Thirty (30) days of rolling backups are retained.

Minimum Necessary Access

Access controls always default to no access unless overridden manually.

PCI Compliance

Payments processed through our website are done in a PCI compliant manner. We process subscription payments as a PCI Level 1 Service Provider.

Security of Your Password

Browser Password Security. We do not persist your password in your browser’s cache. We use secure cookies with limited lifespans. You will be asked to re-enter your login credentials if your session is idle for the allotted timeout period.

Password Storage. We do not store your password in plain text. Your password is encrypted, and only you know what it is. If you forget your password, you will have to reset it from the sign in page.

Suggestions for Keeping Your Account Secure.

  • Never share your username or password. It is a violation of our terms of service to share your username and password with anyone.
  • Always sign out when you are finished using the service.
  • Choose a strong password.

Contact Us

If you have general inquiries, questions, concerns, or comments about this Data Security Policy, please contact us using the contact form below.