The ACAwise team has implemented standard security protocols and mechanisms to ensure the security of our clients data at every stage of the ACA reporting process.
Here is an overview of the data security standards and measures set in place by ACAwise.
- The Health Insurance Portability and Accountability Act (HIPAA) is a federal law in the United States that establishes rules for safeguarding Protected Health Information (PHI).
- PHI encompasses any data that can be employed to recognize a patient or their health status, therefore, it is extremely sensitive information demanding comprehensive security measures for protection.
- In its role as a provider of services handling PHI, ACAwise has executed all the necessary security measures to comply with HIPAA regulations. These measures encompass technical, physical, and administrative safeguards to assure the confidentiality, integrity, and accessibility of PHI.
SOC 2 Compliance
- SOC 2 certification is a security benchmark for service organizations created by the American Institute of CPAs (AICPA). It mandates that companies establish and uphold a series of controls and procedures to guarantee the security, reliability, and accessibility of client data.
- These controls encompass policies and procedures connected to security, accessibility, processing integrity, confidentiality, and privacy. SOC 2 audits assess if a company's systems and processes meet these criteria.
- As a SOC 2 certified e-file provider, ACAwise is subject to routine audits to confirm that its systems and procedures adhere to the SOC 2 standards to safeguard client data and privacy across all operational facets.
- The California Consumer Privacy Act (CCPA) is a privacy statute that bestows specific rights on California residents concerning their Personal Information (PI).
- PI encompasses any information that identifies, relates to, characterizes, or can be linked to a particular individual or household.
- As a provider of services dealing with PI for California residents, ACAwise adheres to all CCPA regulations. This signifies that ACAwise provides California residents the right to be informed about the collection of their PI, the right to access their PI, the right to have their PI erased, and the right to opt out of the sale of their PI.
PCI DSS Compliance
- The Payment Card Industry Data Security Standard (PCI DSS) is a collection of policies and procedures designed to assure secure transactions involving credit, debit, and cash card payments while eliminating the chances of improper utilization of cardholder personal information.
- All the payment processing tools utilized by ACAwise comply with PCI requirements for the encryption and secure transmission of credit card data.
ACAwise clients have the option to enable Two-Factor Authentication (2FA) via email and phone for added account security.
We've set up a Firewall for our application to filter incoming traffic, check for suspicious patterns, and ensure only authorized access.
Our system is protected by antivirus software that continuously monitors device behavior, files, and applications, identifying anomalies and thwarting potential threats.
PII Data Security
We strictly adhere to standard regulations for safeguarding clients' personal information like Social Security numbers, email addresses, and phone numbers.
Encryption - Data-at-Rest, Data-in-Transit & Data-in-Use
We encrypt client data in our database (data-at-rest) and during transmission (data-in-transit) between networks or devices. We also use SSL and TLS protocols for data being accessed (data-in-use).
Access to production databases is limited to those who need it. We perform data fragmentation and regular backups to prevent unprecedented security incidents.
We employ layered security mechanisms and controls for comprehensive security, i.e., Defense-in-Depth architecture.
Oracle Cloud Infrastructure Security
Our database is maintained through Oracle Cloud Infrastructure Security, and our servers are protected by Compute Security.
Data Loss Prevention
We use standard Data Loss Prevention (DLP) practices to prevent sensitive data loss and data exfiltration.
Secure Remote Access - VPN
Access to our servers and tools is restricted to authorized ACAwise personnel connected via a secure VPN network. Only authorized IP addresses can access our network.
Access to our system has been restricted for unauthorized wireless networks to protect data confidentiality.
Internet URL Filtering
In order to prevent the entry of any security threats into our system, we restrict access to websites that contain potentially malicious content (Eg: Phishing Pages) through our network.
Secure Software Development - DevSecOps
With the implementation of DevOps Methodology for Testing and deploying, we ensure secure software development throughout the development cycle.
We develop strategies to counter security threats and identify vulnerabilities right at the development of our application.
We have standard procedures in place for countering any unprecedented and unexpected security incidents.
We carefully plan, test, and validate changes to avoid risks to data. This helps us to ensure that every change we introduce is free from the risks of data loss.
Our policies have multiple measures and guidelines that cover access controls, encryption, audits, and vulnerability assessments.
Security Awareness Training
Our team is well-informed about data security and keeps up with new security technologies, strengthening our collective defense and reinforcing our commitment to data security.
We have a clear procedure for handling security incidents at different levels of escalation.
We conduct penetration tests following OWASP standards to identify and address web application vulnerabilities.
Monitoring and Response
We monitor and scan our network and applications for security threats and respond proactively if there is any sort of threat identified.
We implement server hardening processes to secure our servers against potential attacks.