Terms & Policies

Security policy

Compliance

CASA - Cloud Application Security AssesSment

CASA has built upon the industry-recognized standards of the OWASP's Application Security Verification Standard (ASVS) to provide a consistent set of requirements to harden security for any application. Further, CASA provides a uniform way to perform trusted assurance assessments of these requirements when such assessments are required for applications with potential access to sensitive data.

HIPAA - Health Insurance Portability and Accountability Act

At Richpanel, we understand the critical importance of safeguarding personal health information (PHI). Our commitment to security and privacy is at the forefront of our operations, especially in our interactions with the healthcare sector. This is why we are proud to announce that Richpanel is self-certified for HIPAA compliance.

What is HIPAA?

‍The Health Insurance Portability and Accountability Act (HIPAA), a United States legislation passed in 1996, provides data privacy and security provisions for safeguarding medical information. HIPAA compliance ensures that sensitive patient health information is protected from being disclosed without the patient's consent or knowledge.

Richpanel's HIPAA Compliance Journey

Our journey to self-certify for HIPAA compliance involved a comprehensive review and revamping of our data handling practices. We have implemented stringent security measures to ensure the confidentiality, integrity, and availability of all the protected health information (PHI) that we handle. These measures include, but are not limited to:

Data Encryption: Ensuring that all PHI transmitted over our platform is encrypted both in transit and at rest.
Access Controls: Strictly limiting access to PHI to only those employees who need it to perform their job functions.
Regular Audits: Conducting periodic reviews and audits of our systems to ensure ongoing compliance and address any potential vulnerabilities.
Employee Training: Regular training of our staff to ensure they are aware of their responsibilities under HIPAA.

Our Self-Certification Process

‍Self-certification for HIPAA compliance at Richpanel involved an extensive internal audit of our processes and systems. We collaborated with legal experts and HIPAA consultants to ensure that every aspect of our operations meets or exceeds the standards set by HIPAA. While self-certification is not an official legal status, it demonstrates our proactive approach and unwavering commitment to protecting sensitive healthcare information.

‍Commitment to Continuous Improvement

‍We believe that compliance is not a one-time event, but a continuous journey. Richpanel is dedicated to maintaining the highest standards of data privacy and will continue to update and improve our processes to keep pace with evolving industry standards and regulations.

Product security

SSO & 2FA

SAML Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials. If you’re using password-based authentication, you can turn on 2-factor authentication (2FA).

Permissions

We enable permission levels within the app to be set for your teammates. Permissions can be set to include app settings, billing, user data or the ability to read or send messages.

‍Uptime

We have an uptime of 99.9% or higher. You can check our past month stats at https://richpanel.statuspage.io/

Network and application security

Data Hosting and Storage

Richpanel services and data are hosted in Amazon Web Services (AWS) facilities in the Oregon (us-west-2)

Failover and DR

Richpanel was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.

Virtual Private Cloud

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

Back Ups and Monitoring

On an application level, we produce audit logs for all activity, ship logs to ELK and Cloudwatch for analysis and use S3 for archival purposes.

Permissions and Authentication

Access to customer data is limited to authorized employees who require it for their job. Richpanel is served 100% over HTTPS. Richpanel runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Richpanel’s network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on Bitbucket, Google, AWS, and Richpanel to ensure access to cloud services is protected.

Encryption

Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Pentests, Vulnerability Scanning‍

Richpanel uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Once a year we engage third-party security experts to perform detailed penetration tests on the Richpanel application and infrastructure.

Incident Response

Richpanel implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Additional Security features

Training

All employees complete Security and Awareness training annually.

Policies

Richpanel has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Employee Vetting

Richpanel performs background checks on all new employees in accordance with local laws.

Confidentiality

All employee contracts include a confidentiality agreement.

All employees complete Security and Awareness training annually.

Customer Best Practices

We encourage our customers to follow security best practices. Visit our documentation site for guidance on keeping your Richpanel account secure.

For any security-related questions or to report a security concern, please contact our security team at security@richpanel.com.