How is My Company’s Data Secured with Captricity?
Customer data is our clients’ most valuable asset, and the protection of that data is their number one priority. At Captricity, we take data security as seriously as you do, which has inspired us to provide the following overview of the security controls we have implemented throughout our Data-as-a-Service (DaaS) solution, as well as our organization. These extensive controls span the Technical, Operational, and Management aspects of our business, as detailed herein.
Captricity’s security program is based on industry best practices and aligns to industry-standard compliance frameworks. These include NIST 800-53 Rev. 4, SOC 2 Type II trust principles, ISO 27001, and the Payment Card Industry Data Security Standard (PCI DSS) v3.0. Captricity is also under the Federal Trade Commission’s jurisdiction and operates as a HIPAA business associate.
An Introduction to Shreddr™
Captricity’s data capture process is powered by our proprietary, Web-based Shreddr™ application, shown in the figure below with key security controls highlighted.
All incoming data is immediately encrypted in the Capture stage to protect the sensitive information that may be uploaded by our clients. Then, as data moves through the Keyword Value Extraction stage up to the Data Release and Formatting stage, it is further encrypted in storage. Finally, during the Data Release and Formatting stage, data remains encrypted for protection in transmission back to our clients.
Technical Controls Supporting Security
Access to all Captricity systems is authenticated using passwords. All privileged access to our systems and data requires two-factor authentication (passwords and credentials). Each privileged user of Shreddr™ is assigned a unique ID that enables access to the production system via Secure Shell, and to the administrator view via two-factor authentication. All end users of Shreddr™ must register with a unique email address for system access.
Captricity provides cloud services via our Shreddr™ DaaS solution. Shreddr™ is deployed in Amazon Web Services’ (AWS) public (multi-tenant) cloud, within which Captricity has a Virtual Private Cloud. AWS provides all data center infrastructure supporting Shreddr™.
Captricity evaluated AWS’ infrastructure controls to ensure they meet our own clients’ security needs. Our evaluation gave us the full confidence needed to entrust deployment of our solution in AWS’ cloud environment. This assurance is bolstered by industry experts, IT community leaders, and the Payment Card Industry (PCI), all of whom have determined that AWS is the proven leader in providing secure cloud services. For example, Gartner’s Magic Quadrant for Cloud IaaS, Worldwide (May 2015) rated AWS as “the overwhelming market share leader.” AWS is also the US intelligence community’s chosen cloud IaaS to protect classified information.
Captricity’s Director of Information Security (DOIS) is responsible for our cloud audit program, which includes internal and external validations to address client audit and assessment requirements. Captricity passed the third-party HIPAA compliance review/audit in October 2014. The DOIS will also conduct annual internal assessments to confirm that our HIPAA standards and safeguards continue to operate as intended. Additionally, Captricity has undergone a SOC 2 Type II readiness assessment. The final report will be issued in December 2015.
Operational Controls Supporting Security
Communications and Operations Management
As our IaaS provider, AWS is not authorized to access our clients’ Scoped Data. Captricity encrypts all data in transit and in storage to prevent such unauthorized access. No other external parties have access to client data transmitted through Captricity’s Shreddr™ system.
Captricity uses limited, secure network connections to transmit client data and monitor internal system performance. Clients use the Shreddr™ API to upload data via the Internet. Nessus agents are installed on the servers to scan for vulnerabilities, using plugins to check for specific flaws. None of these network connections provide access to Shreddr™’s production environment. Captricity uses the AWS Security Groups (firewalls) to control internal and external traffic flows. All Security Groups are configured on a deny-all, permit-by-exception policy.
To ensure the security of all systems, data, and networks, Captricity’s DOIS conducts vulnerability scans on the entire Shreddr™ environment biweekly, and as required by changes in the threat environment. This process is substantiated by a PCI Security Standards Council Approved Scanning Provider who independently scans our system quarterly. In addition, Captricity invests in third-party validation activities, which include third-party audits of our HIPAA compliance, undergoing the SOC 2 Type II attestation by an AICPA-required CPA firm, and hiring Dell SecureWorks to conduct penetration tests on our entire environment in June-July 2015. There were no critical/high findings nor common vulnerabilities found.
In addition, Captricity performs three different types of backups for Scoped Systems and Data:
- User Data Backups - User data in Shreddr™ is stored in the PostgreSQL database, which we backup in two ways: 1) daily full backups, and 2) continuous backup. Backups within 1 day are recoverable at the 60-second point; within 1 week, at the 24-hour point; within 3 months, at the weekly point; and within 3 years, at the monthly point.
- Operating System and Software Backups - The OS and software used in Captricity's nodes are the EC2 AMIs. AMI snapshots are taken biweekly and stored in AWS US West/East sites.
- System Documentation Backups - Captricity stores information system and security documentation using a Software-as-a-Service that maintains multiple redundant backups.
Human Resource Security
Captricity employees’ system and data access credentials are dependent on passing a thorough vetting process that includes eVerify and background screenings spanning criminal records, social security numbers, address locators, sex and violent offender registries, and terrorist watch lists.
All Captricity new hires must sign our Employee Handbook and Non-Disclosure Agreement during onboarding. All personnel with administrator or privileged user access must also sign our Rules of Behavior before receiving system access. In addition, all employees must pass our mandatory HIPAA/HITECH Security Awareness training during onboarding and annually thereafter.
Physical and Environmental Security
The physical security and environmental controls in the data center that hosts Shreddr™ are under the purview of AWS as the infrastructure provider. AWS’ infrastructure assurance programs include HIPAA, SOC, ISO 9001, ISO 27001, FIPS, and Level 1 compliance under the PCI DSS. Visitors are not permitted in AWS data centers where Shreddr™ is hosted.
Business Continuity and Disaster Recovery
The DOIS maintains our comprehensive Business Continuity and Disaster Recovery (BC/DR) Plan, which is updated when significant changes occur and reviewed annually by executive management. All Captricity employees review the BC/DR Plan for familiarity with their roles and responsibilities. Multiple system and data backups ensure rapid recovery from a failure.
Management Controls Supporting Security
Risk Treatment and Assessment
Captricity’s ISPP establishes security program compliance requirements, which are based on industry-standard frameworks including NIST 800-53 Rev. 4, SOC 2 Type II trust principles, ISO 27001, and PCI DSS v3.0. Policy changes are made in real time, and the ISPP is reviewed annually by executive management, with updates communicated to all constituents.
The data our clients upload into Shreddr™ may be classified as NPI, PII, or other sensitive information. Such data is never accessed without our clients’ approval, and we apply the same robust controls to all data, regardless of classification. Our ISPP provides privacy controls for Least Privilege/Need-to-Know and Role-Based Access Control for constituents.
The DOIS conducts Privacy Impact Assessments at least annually to confirm that privacy protections are incorporated into all aspects of our system and operating procedures.
Captricity has implemented comprehensive security controls across the Technical, Operational, and Management aspects of our business to ensure the protection of your company’s most valuable asset — your data. As your technology partner, we aim to be fully transparent in answering your security questions, and to provide the confidence in our solution needed to entrust Captricity with your data capture and management needs.
Further details on our security controls can be found in our comprehensive Security Audit FAQ.