• Security

Security at Vitable

Ensuring the privacy and protection of our Members’ data is extremely important to us, here’s a brief overview of the practices we follow to keep our Members’ data safe.

1 | Policies and Audits

Vitable has established strict policies and controls, which are actively monitored to ensure compliance. We work with third-party auditors to prove our security and compliance with these policies.

Our policies are based on the following core principles:

  1. Access should be limited to those with a business requirement to do their job and granted based on the principle of least privilege
  2. Security controls should be in place across all areas of the business
  3. Security controls should continue to mature over multiple periods of iteration to improve effectiveness

Vitable maintains compliance with:

  1. HIPAA
  2. We are currently in the process of undergoing a SOC2 Type 2 attestation

2 | Data Security

Data at Rest

Data is encrypted at rest using AES-256 encryption, a robust block cipher, for both columnar and blob (file) storage.

Data in Transit

Data is encrypted in transit using TLS encryption on all our systems, ensuring secure internet communication. Keys and certificates are managed by AWS and are always kept up-to-date, valid, and rotated.

Key Management

Encryption keys are securely managed with AWS’s key management infrastructure. They are stored encrypted, managed, and rotated by AWS infrastructure.

3 | Product Security

Authentication

  • Two-Factor Authentication (2FA) is mandatory for all users with internal admin-level access
  • All endpoints to sensitive data contain authorization checks to ensure the authenticated user is allowed to access the requested data

Audit Trail

  • We store audit logs for all authentication attempts to our system
  • We store audit logs for all authorized access to our system
  • We store audit logs of create, read, and update operations for all ePHI in our system

4 | Business Security

Device Protection

All work devices are centrally managed and are equipped with mobile device management (MDM) software. We use MDM software to enforce secure configuration of devices, such as disk encryption, screen lock configuration, anti-virus software installed, and software updates.

Security Education

Vitable provides security training to all employees upon onboarding and annually through our compliance partner, Vanta.

Vendors

Vitable uses a risk based approach to working with vendors. We assess the risk of working with a vendor based on several factors. Once the inherent risk rating has been determined, the security and compliance of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.

5 | Our Commitment

Vitable is committed to working with security researchers across the world to keep our systems secure. If you believe you have found a security vulnerability in any of our products, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem