Trust & Compliance
Overview of our Security Program
The MedaSystems platform is designed from the ground up to provide the highest level of security and confidentiality for our customers’ proprietary information, both in storage and in transit. The data contained in our system includes the personal information of healthcare professionals, proprietary information of our customers, and de-identified patient information. Our commitment and ability to maintain the confidentiality, integrity and availability of this data is central to our mission and to the ongoing trust of all the stakeholders in our community.
This overview covers our security program, privacy and security certifications awarded to us, and our use of third-party service providers. Please don’t hesitate to contact us to request additional information.
Security Certifications
MedaSystems is built from the ground up to comply with the highest industry standards. We’re proud to share our certifications, but we’re not resting on our laurels. Please check back periodically as we add to this list.
SOC 2 Type I & II
GDPR Local
HIPAA Compliant
Management of Organizational Security
We work with a third-party compliance provider to plan, monitor, audit and remediate our security and compliance processes. With their oversight, we maintain a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures.
We are compliant with GxP standards. Our security program and document management aligns with the leading global security standards, including:
ISO 27001
SOC 2 Type II
FDA 21 CFR Part 11
EU Annex 11
GAMP 5
We conduct regular reviews of our security program and update the program to reflect changing technology, regulations, laws, risk, industry and security practices and other business needs.
Privacy
We have a privacy policy, available on our website, that clearly documents and communicates the extent of personal information collected, the company's obligations, the individual's rights to access, update, or erase their personal information, and an up-to-date point of contact where individuals can direct their questions, requests or concerns.
Security Organization and Management
We have appointed an information security officer to help our employees satisfy their information security responsibilities. We maintain a responsibility and accountability structure for security management designed to coordinate our information security arrangements, monitor the effectiveness of security arrangements, and maintain approved security standards.
Roles & Responsibilities
We maintain clearly defined roles and responsibilities for all information processing activities, including the management and control of operational systems, administration and support of communication networks and the development of new systems. The roles and access rights of computer operators and system administrators are separated from those of network and systems development staff.
In addition, we maintain procedures to supervise information processing activity, minimize the risk of improper activity or error, and screen applicants for security-sensitive positions.
Identity and Access Management
We assign access to systems, using the principles of least privileged access, in accordance with our documented access policies and enforce these privileges through automated means.
Privileges
Access mechanisms operate securely and in line with good security practice (e.g., no display of passwords, storage of passwords in encrypted form). Authorization procedures are formally defined and conform with commercially standard disciplines, including establishing heightened control over the issue of special access privileges and ensuring termination of authorizations that are no longer required.
Authentication
We use industry standard practices to identify and authenticate authorized users. We align our authentication methods with business risk using standards appropriate to our industry (e.g. requiring valid multi-factor authentication). Passwords are managed according to industry standards and must be changed periodically. We maintain access logs and conduct periodic reviews of the logs for signs of unauthorized access or changes.
Security procedures
Architecture
Our platform is built in accordance with a defined set of security standards and corresponding mechanisms. The security architecture enables information resources requiring different levels of protection, enables the secure flow of data, and allows for the revocation of privileges if users leave the organization.
We document and inventory our critical information assets and the applications to process them and conduct regular information security risk assessments as needed, updating our policies and practices to ensure the continued privacy, confidentiality, security and integrity of our information.
Encryption
We use industry standard encrypted transport protocols, encrypting data at rest and in transit, using Transport Layer Security (TLS) for data in transit.
Network Communications & Systems Management
We use the following protocols to protect network communications and systems.
Industry standard firewalls
Antivirus/Antimalware software and procedures
Denial of service countermeasures
Intrusions detection services
Removal of data when it is no longer needed or authorized
Vulnerability & Penetration Testing
We engage third-party security specialists annually to perform vulnerability and penetration testing of our systems. Internet facing systems are regularly scanned for vulnerabilities.
We have application, database, network, and resource monitoring in place to identify any vulnerabilities and protect our applications. Our solutions undergo internal vulnerability testing prior to release.
Business Continuity
Our platform is designed to avoid single points of failure to reduce the chance of business disruption and minimize service interruptions. We maintain formally documented recovery processes that may be activated in the event of a significant business disruption. We conduct testing, at least annually, to verify the validity of the recovery processes.
We implement disaster recovery measures to minimize data loss in the event of a single data center failure. We monitor our solutions for signs of pending failure and take preemptive action to attempt to minimize/prevent downtime.
Software Development
We have a formal software development lifecycle methodology in place, which adheres strictly to industry standards and governs the development, implementation, changes (including emergency changes), and maintenance of our information systems and related technology requirements.
Physical Security
Our third party data center providers have measures that protect against loss of or damage to equipment and facilities. They restrict physical access to authorized personnel and provide security staff where appropriate to ensure the safety of their facilities.
We host our production software in facilities that use equipment designed to protect against power outages/failure, allow rapid recovery of assets in the event of an outage, protect power, network infrastructure and critical systems from damage or compromise, and protect buildings against natural disaster or deliberate attack. We also strictly adhere to an industry standard Business Continuity and Disaster Recovery policy that ensures our production data is backed up continually and recoverable in the event of loss of access to our primary hosting facility.
Vendor Management
We have a vendor management program in place to inventory and review our third-party providers. We use third party providers to host data, provide cloud-based services and support our operations. We require that these suppliers enter into downstream agreements with us, such as nondisclosure agreements, data processing agreements, business associate agreements and the like, as appropriate based on the type of services they provide and the type of information they have access to. We apply a risk-based approach to periodically review our suppliers’ security posture. Our suppliers maintain their respective security programs, which can be requested directly from them or may be available on their websites.
Sub-Processors
Third Party Sub-Processors are Vendors selected by MedaSystems to process Personal Data on MedaSystems’ behalf in relation to the service provided under MedaSystems’ Master Subscription Agreement and Application Terms of Service. We maintain a complete list of our Sub-Processors here.
Uptime
The MedaSystems platform is hosted on AWS EKS clusters which has an uptime SLA of 99.95%. Moreover, new releases and system updates are always deployed as rolling updates to minimize any disruptions.
Documentation
We are happy to provide documentation of our security certifications upon request. Please fill out the form below to speak with our team.