Security

Security Measures

 

Last Modified: January 24, 2024

Data security and privacy is a top priority and concern for us, our customers, and their customers.

a) Access Control

i)    Preventing Unauthorized Product Access

Outsourced processing: Insycle hosts its Service with outsourced cloud infrastructure providers. Additionally, Insycle maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement. Insycle relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: Insycle hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Authentication: Insycle implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Insycle’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through OAuth authorization.

ii)    Preventing Unauthorized Product Use

Insycle implements industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Static code analysis: Security reviews of code stored in Insycle’s source code repositories is performed, checking for coding best practices and identifiable software flaws.

Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for penetration testing of the Insycle web application at least annually. The intent of these penetration tests is to identify security vulnerabilities and mitigate the risk and business impact they pose to the in-scope systems.

iii)    Limitations of Privilege & Authorization Requirements

Product access: A subset of Insycle’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.

Background checks: Where permitted by applicable law, Insycle employees undergo a third-party background or reference checks. In the United States, employment offers are contingent upon the results of a third-party background check. All Insycle employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

b) Transmission Control

In-transit: Insycle makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Insycle products. Insycle’s HTTPS implementation uses industry standard algorithms and certificates. Independently verified SSL rating of A+ is available here: https://www.ssllabs.com/ssltest/analyze.html?d=app.insycle.com

At-rest: Insycle stores user passwords following policies that follow industry standard practices for security. Insycle stored data is encrypted at rest.

c) Input Control

Detection: Insycle designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Insycle personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: Insycle maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Insycle will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.

Communication: If Insycle becomes aware of unlawful access to Customer data stored within its products, Insycle will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Insycle is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Insycle deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Insycle selects, which may include via email or telephone.

d) Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online backups: All databases are backed up and maintained using at least industry standard methods.

Insycle’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Insycle operations in maintaining and updating the product applications and backend while limiting downtime.