Data Ownership
Data populated by you in Pulse360 is yours to own. You have full access to all your data while using the Pulse360 application.
If you decide to stop using Pulse360 please let us know as soon as possible and we will prepare and send you a download of all your data.
Encryption
All of your data is encrypted using industry standard AES 256-bit. At rest: via AWS KMS on all of components with storage capabilities such as: EC2, RDS, S3, etc.
For Encryption in Transit we are using TLS 1.2 with Certificates provided by AWS ACM for the Cloudfront endpoints and API endpoints.
Network
Our network and databases have been designed on AWS, using environments that are isolated using VPC. Depending on your plan, practice data is segregated in entirely separate databases and /or tables. No commingling of data.
In addition, we have automated audit trail with APIs and Cloudtrail enabled.
Access Control
Using AWS, has allowed us to implement their Identity and Access Management (IAM). This enables us to manage access to AWS services and resources securely. Using IAM, we have created and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM also enables us to add specific conditions such as time of day to control how a user can use AWS, their originating IP address, whether they are using SSL, or whether they have authenticated with a multi-factor authentication device. All IAM users activity is recorded and audits recorded by the AWS Cloudtrail service.
We limit access to production environment to persons that need to have such access. In addition, we utilize, Multi-factor authentication for all users.
We have implemented AWS Key Management Service (AWS KMS). The AWS KMS allows us to manage the lifecycle of encryption keys and control how they are used by our application and other AWS services.
Servers
Being part of Amazon AWS, we benefit from multiple AWS data centers and a network built from the ground-up to protect information, identities and applications. In addition, AWS provides us unparalleled scalability and reliability options.
AWS regularly achieves third-party validation for thousands of global compliance requirements that they continually monitor to help meet security and compliance standards for finance, retail, healthcare, government, and beyond. We inherit the latest security controls operated by AWS, strengthening our own compliance. AWS supports many security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171, helping satisfy compliance requirements for virtually every regulatory agency around the globe.
Disaster Recovery
All data is backed up and handled by a predefined data life cycle, AES 256-bit encryption, S3 cross-region replication and protected by content security policies which enforces data handling best practices avoiding data loss.
Breach Notification
Due to the nature of data we maintain, it may be necessary to provide notification to or coordinate with parties outside of Pulse360. The Incident Response (IR) Coordinator must determine if external communication and coordination are required, and involve appropriate Pulse360 resources, as detailed below.
In the event of a confirmed data breach, Pulse360 must provide notification to customers who were impacted. At the discretion of the IR Team (including input from senior management and general counsel), details of the data breach may also be communicated to all customers and/or media. The IR Coordinator must craft appropriate communication based on the circumstances of the incident:
- No data loss / Loss contained: Notification should include a summary of the incident as well as details of how data loss was contained or mitigated (e.g. data that was breached was hashed or encrypted, and the relevant keys were not breached).
- Data loss is suspected: Notification must include a summary of the incident, as well as specifics regarding the data breached (e.g. number of records, specific data that was included, such as account numbers). If data loss is confirmed, communication should also include details of any remedial actions Pulse360 is taking, such as enhanced controls, identity theft monitoring for affected customers, etc.