Our security model is anchored on protecting the confidentiality, integrity and availability of data. During our cyclical risk management evaluations we apply industry standards from the National Institute of Standards and Technology (NIST) and our cloud provider, Amazon Web Services (AWS) as well as input from third-party experts. To address potential concerns and earn the trust of our partners to store and process sensitive data, we have compiled a list of controls that relate to commonly asked questions we receive on the matter of security.
If you believe you have found a security issue or have any concerns or questions about Blackfynn security, please contact us at firstname.lastname@example.org.
For more information, please visit our website.
Network and System Security
The Blackfynn platform, as well as all the PHI and PII data stored on it, is hosted in AWS data centers. By using a shared responsibility model, Blackfynn inherits all physical and environmental controls (physical access, network and power redundancy, hardware disposal, fire suppression, etc) from compliance programs managed by AWS. The compliance programs offered by AWS include, but are not limited to, HIPAA (United States), GxP (United States), C-5 (Germany) and G-Cloud (UK).
Resiliency and Availability
Blackfynn has leveraged the reliability recommendations from the Reliability Pillar of the Well Architected Framework provided by AWS such as, but not limited to, the use of feature toggles, encrypted backups, load balancing and instance auto-scaling. Blackfynn maintains business continuity and disaster recovery plans which are regularly reviewed and rehearsed.
All Blackfynn employees, regardless of access rights, undergo background checks. We conduct three levels of checks:
- National criminal record and SSN fraud
- Employment verification
- Education verification
A user will be locked out of their account after three failed attempts. Once an account is locked, an organization administrator needs to unlock it. This is further outlined and available in our Access Control Policy.
Data Confidentiality and Integrity
All data transmitted from customer devices to the Blackfynn platform is protected using 256-bit TLS encryption. To provide encryption and data segregation at rest, each organization has a unique key in which data is encrypted using AES-256. This encryption is managed by Amazon's Key Management Service (KMS). Audit logs track each time a key is used to encrypt or decrypt data.
Blackfynn signs every email by using the DomainKeys Identified Mail (DKIM) standard. Additionally, email can only be sent from IP addresses that are published in our Sender Policy Framework (SPF) record.
Blackfynn's platform is HIPAA compliant and has undergone assessment by third parties. All in house developed software is reviewed by at least two members of our team.