We've built Jane with security and privacy as our main focus. It's what drives our culture, training, and hiring processes. And shapes how we've used technology to protect and secure data.
This white paper outlines Jane's approach to security and how we've ensured that securing Jane data has and always will continue to be our top priority.
Jane is SOC 2 Certified
SOC 2 certification consists of five Trust Services Categories for managing customer data correctly: security, availability, processing integrity, confidentiality, and privacy. It's a fantastic framework that we use at Jane to ensure we're following all best practices for keeping your data safe.
The certification is granted by external auditors who carefully inspect Jane's security practices from top to bottom. 🔍 If you'd like to learn more, you can read this post from Jane's Privacy & Security team!
|Amazon Web Services||Jane's physical infrastructure is hosted and managed within Amazon Web Services' secure data centers. We utilize their built-in security, privacy, and redundancy features, including AWS's ability to perform regular backups. Amazon Web Services complies with leading security policies and frameworks, including ISO 27001, SOC 1 and SOC 2.|
|Resiliency||Hosting on AWS allows Jane to remain resilient, even if one location goes down. AWS spans across multiple data centres within a particular region (called availability zones), which allows Jane servers to remain resilient in the event of a failure, including natural disasters or system failures.|
|Defense In Depth||We've enabled AWS's security features like intrusion protection system and Web Application Firewall.|
|Encrypting Data||Data that passes through Jane is encrypted, both at transit and at rest. We also encrypt all volumes where customer data is stored, and we also individually encrypt all backups. Data in transit is encrypted using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM and at rest using AES 256 encryption.|
|Datacenter Security||AWS follows industry best practices and has strict physical access policies for the data centre building. For more information see Amazon's documentation on their physical access controls: AWS Data Layer|
|Data Storage||All Jane accounts are individually stored within their own database schema.|
|Continuous Monitoring||Jane has continuous and automated monitoring and vulnerability scanning on the AWS infrastructure so that we are proactive and have a complete awareness of any potential vulnerabilities, incidents, and threats.|
|Customer Backups||We use mirrored database servers for real-time backups and perform daily backups. Backup files are stored utilizing AWS redundancy across multiple availability zones. All backups are encrypted in transit and at rest.|
|Data Deletion||When it comes to deleting data, we do so in a way that does not allow for reconstruction by using NIST 800-88 guidelines to destroy data.|
|Account Security||Jane secures your credentials by using leading industry standards to salt and hash your credentials before it is stored. We also have additional documentation on our security features found here: Security Features|
|Activity Log Feature||The Account Owner has access to the Activity Log that gives them a detailed breakdown of all Staff activity. This can be filtered by date range, staff member, and the type of data that they access.|
|Data Protection||Jane will continue to secure and protect your data so long as you have a Jane account and unless instructed otherwise by the Account Owner. If the Account Owner decides to close their Jane account, we can export your data, free of charge, or we can place the account on hold at a lesser fee.|
|Development Lifecycle||Jane developers follow a strict policy to ensure that Jane features and updates are secure by design, in development, and after deployment. Jane releases weekly (or sometimes more) updates that are heavily tested by our QA Team before deployment. All updates do not require downtime.|
|Third-Party Integration||Jane's optional third-party services are assessed thoroughly before implementation to ensure that they meet our security requirements. No medical data or patient health information is sent to our third-party services. View our optional third-party integrations here: Jane's Integrations|
|Regulatory Compliance||Jane complies with applicable legal and regulatory requirements as well as best practices. This includes Jane's compliance with all Canadian Privacy laws, GDPR, HIPAA, and Standard Codes of Practice across multiple health professions.|
|PCI compliant||Jane never stores or processes credit card information. This is completed by an optional integration by Stripe or Payfirma, which are PCI compliant. Additional information can be found here: Is Jane PCI-Compliant?|
|Dedicated Team||We have a dedicated Security and Privacy Team that regularly reviews our policies, updates training and ensures that Jane is one of the top EMR companies to secure data.|
|Security Culture||At Jane, we implement regular security training. The training that we provide is developed by our very own Security and Privacy Team, which covers our information security policies, security best practices, and privacy principles.|
|Confidentiality||Jane employees sign a confidentiality agreement upon hire. We also have a strict policy that we only access your account when you request assistance from us. Furthermore, chart access is only visible to our senior managers. In either case, all access is logged.|
|Background Check||All Jane employees complete a strict background check prior to employment.|
|Recovery Plan||Jane maintains a Disaster Recovery Plan, which is regularly reviewed and updated by our Security and Privacy Team.|
|Incident Response Program||Jane maintains an incident response program that defines the conditions and procedures we have in place to assess any relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events.|
|Privacy Breach Policy||We follow the BC Privacy Commissioner's 4 Step Privacy Breach Response Protocol. The documentation can be found here: Privacy Breach Policy|
Here are additional resources that you might find helpful:
If you have any questions for our team, please contact us at firstname.lastname@example.org.