Security Measures- Hardware, Software, Processes, Procedures and Maintenance
Quicktate (sometimes referred to as Company) employs a combination of three standard security approaches in its business: authentication, authorization, and encryption.
1. Authentication
Authentication is confirming the identity of an individual. There are three major groups requiring authentication:
a. Customers
Customers are authenticated using their own Account Number and PIN when they log in to their account on the Company website.
b. Transcribers
Typists are authenticated using their own Account Number and PIN when they log in to their account on the Company website to retrieve a file to type.
c. Proof Readers
Proof Readers are authenticated using their own Account Number and PIN when they log in to their account on the Company website to edit or proof read a file that has already been typed.
2. Authorization
Authorization is confirming that an individual has access to a customer record or customer account. The Company security model uses authorization to ensure that only individual that are required to access certain records are actually able to do so.
3. Encryption and SSL Encryption
Encryption creates a secure channel between the user's web browser and the Company servers and prevents eavesdropping, message tampering and message forgery. Company uses 128-bit SSL encryption when sending and receiving files over the Internet. This includes customer uploads of audio, client downloads of completed jobs, customers viewing and updating personal account information and the upload and download of customer jobs to our network of typists.
In our backend, all intra-server communication across the open internet occurs over VPN and is encrypted using 1024 bit public/private keys.
4. Company and HIPAA Compliance
Safeguarding our customer's data, including Protected Health Information (PHI), is a top priority at Quicktate. Our privacy & security policies and procedures adhere to the Health Insurance
Portability and Accountability Act (HIPAA) of 1996. Our Full HIPAA Statement is available upon request.
.
5. Level 1 PCI compliance - Credit Card Data
No one at Company has customer credit card data, as this is encrypted and stored with a third-party provider called Chargify. Chargify has attained Level 1 PCI compliance, which is the highest level of compliance with the payment card industry’s security standards for credit card data. This is the same level as banks and payment gateways. PCI Level 1 means that Chargify has been audited by an outside firm and found to meet or exceed industry standards for data storage, employee background checks, processes for updating programs, etc. Chargify ensures all your communications and data are secure based on stringent security guidelines.
6. Secure Network of Typists
English speaking Quicktate General Transcribers are based in the United States and also outside the United States.Foreign language Quicktate Transcribers are based in the United States and also outside the United States.
Quicktate Medical transcribers are based in the United States and also outside the United States.
Prior to being offered transcription assignments, Company reviews transcriber's employment history and performs background checks. In addition, all transcribers sign and agree to the Terms of our Typist Handbook, Company Policies and Code of Ethics, Nondisclosure and
Confidentiality Agreement, and HIPAA Business Associate Agreement.
7.0 Please describe the process and tools, used by Company, to supply the
Solution/product.
Our workflow revolves around Atlassian Jira Studio for collaboration, bug
tracking, peer review, and for storage of intellectual property in our corporate
WIKI.
8. General System Architecture and Topology
Our system is completely in the cloud, virtualized and redundantly load balanced using DNS fallover and heartbeat IP monitoring. Our ASP services are hosted and located in Softlayer's datacenter in Dallas, Texas. All aspects of our platforms are fully password protected, with no access to system configurations by the transcribers and limited access by supervisors. Our datacenter has biometric security requirements, oversized fire protection, and large backup power installations which are tested regularly. Refer to our datacenter's website to see the precautions they take. http://www.softlayer.com/facilities/data-center-overview/
9. Tools used for Monitoring, software/hardware and Alerts
We currently use Hyperspin for all in-house monitoring. Hyperspin is a third-party monitoring company which constantly polls each aspect of our system every two minutes, and notifies all of our admins by text message or email if any test fails.
Our workflow revolves around Atlassian Jira Studio for collaboration, bug tracking, peer review, and for storage of intellectual property in our corporate WIKI.
10. Escalation process
Urgent issues are escalated to on-call server admins/developers instantly by text message. When submitting issues, you have the option to escalate directly without the intervention of our support staff if an issue is critical.
11. Deployment
Since we are a web based service, most code enhancements are occurring behind the scenes and do not affect the customer. Our API commands have never changed since launch, and if we ever release a new API, we will keep the deprecated commands live so that all existing code will never break.
With our service being entirely web-based, no frameworks need to be upgraded on customer’s side whenever we roll out a new feature. It’s typically as simple as modifying a few lines of code on the customer’s side to take advantage of new features when we launch them.