SolutionsTRAK Data and Security Policy
Last updated: January 2024
Purpose
The purpose of this document is to define and set forth guidelines for the network architecture that supports and hosts PSARA Technologies’ SolutionsTRAK products. It also outlines the individuals authorized to make changes to the network configuration and application. Effective implementation of this policy will minimize unauthorized access to proprietary information and technology.
Hosting Provider
SolutionsTRAK services are hosted through Amazon Web Services (AWS). The data centers themselves are constructed with multiple redundant power and backup power supplies, multiple redundant data connections, security cameras, bullet resistant walls, 24/7 on-site security, top of the line fire detection and suppression systems, and more.
In the event that problems occur in one data center, all services are shifted to another data center with the same specifications. This is done automatically by the host and should not affect SolutionsTRAK clients if it should occur.
Access
The hosting provider informs many of the security standards for SolutionsTRAK. However, PSARA has defined additional rules and procedures to ensure only appropriate people can access the software, data, and network:
- Access to SolutionsTRAK data and network is controlled by unique credentials: email and encrypted passwords.
- Each SolutionsTRAK client is assigned a client representative, who has access to administrator roles for support purposes.
Team Members
These roles of the team have elevated privileges to the network:
- Technical Director
- Application Developer
- Client Representative
The password to access the host network is known only by the Technical Director. The President does have access to this password for the case where a smooth transition needs to occur between Technical Directors.
Client Representatives are the primary point of contact to customers. Initial SolutionsTRAK support requests should be directed to them but may be elevated to the development team.
The Technical Director is the primary supporter of the SolutionsTRAK application. He or she maintains the installation of the application on the host network, installs server patches, and responds to escalated issues not directly related to the host being down.
Application Developers, Client Representatives, and the Technical Director have their own user accounts in client systems. These users have elevated privileges to empower them in customer support troubleshooting.
Rules
PSARA team members will use the following rules to guide them in making security decisions:
- The most recent security patches must be installed on the server as soon as practical, the only exception being when immediate application would interfere with business requirements.
- Always use standard security principles of least required access to perform a function. Do not use administrator rights when a non-privileged account will do.
- SolutionsTRAK data shall not be placed on any computer that is not the property of PSARA.
Security Protocols
PSARA utilizes several industry standard security protocols within the SolutionsTRAK system to ensure data security, including but not limited to:
Bcrypt Password Hashing
All user passwords are required to contain at least 8 characters, contain at least one uppercase letter, one lowercase letter, one number, and one special character. Passwords are encrypted using bcrypt, a trusted hashing function that hashes every password with a salt.
Row-Level Security
SolutionsTRAK utilizes Row-Level Security to restrict access to data rows within the SQL database based on each user’s authorization context. This ensures users are not able to view or edit data for which they do not have authorization.
Data
Sensitive Data
PlanTRAK is designed for tracking compliance with business regulations and adherence to best practices. It is not intended for personnel management or for storing data related to HIPAA (Health Insurance Portability and Accountability Act). As such, PSARA advises PlanTRAK users against storing any HIPAA-related information in the system. For detailed information about how PSARA handles data collection, usage, and disclosure through our software, please consult our Privacy Policy.
Backups
Multiple backups systems are in place. These backups include rolling backups in the event of hardware or similar malfunction at the data center (the host handles this), encrypted daily backups and transaction log backups, and encrypted monthly archival backups.
Rolling and daily backups are stored at the data center on servers not accessible by the client/public facing servers. Archival backups are kept with PSARA and are not accessible outside of physical access. All backups undergo random testing. Decommissioned media that may have contained client data is physically destroyed to provide the highest protection of client data.
Ownership of Data
All client data is the property of the client though the client necessarily grants PSARA access to this data for the purpose of use in PlanTRAK. Clients may export the data using several built-in functions, the most common of these is exporting tables into Microsoft Excel compatible formats. Clients may also request data that may not be easily accessible through the common exporting tools if needed. To maintain security, the code that runs the PlanTRAK system is the sole property of PSARA and not available for clients to host on their own servers or inspect for any reason.
Risk Management
Monitoring
The PlanTRAK website is monitored by UptimeRobot, a 3rd-party Website Monitoring Service. When the site is down, the Development Team is notified. PlanTRAK system logs are also monitored by technical staff daily to ensure the system is operating properly.
Disaster Recovery
A substantial disaster recovery plan is in place. The plan includes scenarios from minor interruptions in service at the data center, hardware failure, to region-wide natural disasters requiring a full restore and relocation of the system.
In the event that data center or the servers operating therein are disabled and no longer able to function, services will be transferred to a secondary, regionally distinct data center.
In the event that the data center and all contingency data centers are no longer able to function effectively, PSARA will transfer the most recent backup data and services to a secondary, distinct hosting provider. Full access to the system will be available once services have been fully transferred and network addressing has properly propagated through the internet. We anticipate that the process of transferring service will take less than 24 hours to complete, at which time full access to the system will be restored.
In the event that the internet becomes largely unavailable or unreliable as a means of communication, PSARA will freeze all client data and hold it locally until services can reliably be restored.
Policy Compliance
The President will verify compliance to this policy annually by reviewing the Technical Director’s reports, including Audit Logs report, current state of backups, and server update/patch logs.
Non-Compliance
An employee found to have willfully violated this policy may be subject to disciplinary action, up to and including termination of employment.