Welcome to DXRX - The Diagnostic Network® ("DXRX Platform")
Unless otherwise stated, any defined terms in here shall have the meaning set out in the DXRX Membership Terms.
At Diaceutics we take the protection of Your Content extremely seriously. This policy describes the organizational and technical measures Diaceutics implements platform-wide designed to prevent unauthorized access, use, alteration, or disclosure of information. The DXRX Services operate on Amazon Web Services (“AWS”); this policy describes activities of DXRX Platform within its instance on AWS unless otherwise specified.
Our team consists of people who have played leading roles in the design, build, and operation of highly secure internet-facing systems at companies ranging from start-ups to large public and private companies.
Incident Response Plan
- We have implemented a formal procedure for security events.
- When security events are detected, the relevant Diaceutics’ teams are paged, notified, and assembled to rapidly address the security event.
- After a security event is resolved, we write up a post-mortem analysis.
- The analysis is reviewed by the team, distributed across the company, and includes action items that will make the detection and prevention of a similar event easier in the future.
- Diaceutics will promptly notify you in writing upon verification of a security breach of any DXRX Services that affect your information. Notification will describe the breach and the status of Diaceutics' investigation.
- Diaceutics Data Protection Manager will also be involved, making his/her own assessments in line with obligations under Applicable Data Protection Law.
- A dedicated communication channel (firstname.lastname@example.org) has been created to handle any queries or breaches.
- All of the DXRX Services are hosted in AWS facilities in the US (Virginia) and in Europe (Dublin) and protected by AWS security, as described at http://aws.amazon.com/security/sharing-the-security-responsibility. DXRX Services have been built with disaster recovery in mind.
- All of our infrastructures are spread across multiple AWS data centers (availability zones) and will continue to work should any one of those data centers fail unexpectedly. Amazon does not disclose the location of its data centers. As such, Diaceutics builds on the physical security and environmental controls provided by AWS. See http://aws.amazon.com/security for details of AWS security infrastructure.
- All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from getting to our internal network.
- DXRX Services use a backup solution for datastores that contain data.
- We have a continuous integration, continuous delivery, and continuous deployment (CI-CD) process in place so that we can safely and reliably roll out changes to both our application and infrastructure in an automated process.
- All Your Content is stored in the US (Virginia) and Europe (Dublin).
- Your Content is stored in multi-tenant datastores; we do not have individual datastores for each DXRX Member. However, strict privacy controls exist in our application code that are designed to ensure data privacy and to prevent any unauthorized access between DXRX Members (i.e., logical separation).
- Each DXRX Service system used to process DXRX Member data is adequately configured and pathed using commercially-reasonable methods according to industry-recognized system-hardening standards.
- Diaceutics engages certain sub-data processors to process DXRX Member data which is protected by appropriate contracts.
Transfer of Your Content
- All Your Content sent to or from the DXRX Services is encrypted in transit using 256-bit encryption.
- Our API and application endpoints are TLS/SSL only and score an “A+" rating on SSL Labs' tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.
- We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
- DXRX Services are served 100% over https and run a zero-trust corporate network.
- There are no corporate resources or additional privileges from being on DXRX Services’ network.
- We have two-factor authentication (2FA) and strong password policies on BitBucket, and AWS, to ensure access to cloud services is protected.
Permissions and Administrator Controls
- DXRX Services enable permission levels to be set for any personnel with access to the DXRX Services.
- On an application level, we produce audit logs for all activity.
- All access to DXRX Service applications is logged and audited.
- VPNs are used for accessing resources
Security Audits and Certifications
- We use technologies to provide an audit trail over our infrastructure and the DXRX Services application. Auditing allows us to do ad-hoc security analysis, track changes made to our setup, and audit access to every layer of our stack.
- Information about AWS security certifications and obtaining copies of security reports from AWS is available at http://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs/
- To assist with our audits and testing we may choose to bring in external vendors.
DXRX Member Responsibilities
- Manage your own DXRX Accounts, roles and permissions from within the DXRX Services.
- Protect your own DXRX Account and DXRX Login, including those of your End Users accessing the DXRX Services.
- Comply with the DXRX Membership Terms.
- Comply with all applicable laws, including Applicable Data Protection Laws.
- Promptly notify Diaceutics if any DXRX Logins have been compromised or if you suspect possible suspicious activities that could negatively impact the security of the DXRX Services or your DXRX Account.
- Promptly notify Diaceutics if you or your End User leave the employment of the organization that is the primary enrolling business entity with Diaceutics in relation to your use of the DXRX Services.
- You may not perform any security penetration tests or security assessment activities without the express advance written consent of Diaceutics.