Security
Your privacy and security is a top priority at Evalubox. Your evaluation reports contain information that only you and your clients need to see, and we inted to keep it that way. Every day we ensure that our security is parallel with indusrty standards and compliance.
HIPAA compliant
Evalubox is fully committed to helping healthcare providers protect patient's healthcare information when sending ePHI via Evalubox. Evalubox is compliant with HIPAA and the Privacy Rule, as well as the Administrative Safeguards, Physical Safeguards and Technical Safeguards of the Security Rule.
FERPA compliant
Evalubox helps schools facilitate electronic communication between providers, educators, administrators, and school districts and parents and students in full compliance with FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) as to protect the privacy of student educational records.
Physical security
Evalubox data centers (handled by Amazon AWS) are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure.
Software security
Servers and networking
All servers that run Evalubox software in production are recent, hosted only HIPAA approved cloud services from AWS. Services that we utilize such as S3, Cloudfront, and others, are compreshensively hardened
Storage
Evalubox stores evaluation data such as intake information, test scores, report documents, and customer's data in a different locations while also compiling and generating documents when requested. All data in each location is encryted at rest and in transit with AES-256 and sophisticated encryption key management.
Coding and testing practices
Evalubox leverages industry standard programming techniques such as having a documented development and quality assurance processes, and also followign guidelines such as the OWASP report, to ensure that the application meet security standards.
Employee access
We follow the principle of least privilege in how we write software, as well as the level of access employees, are instructed to use in diagnosign and resolving problems in our software and responding to customer support requests.
Isolated environments
The production network segments are logically isolaed from other Corporate, QA, and Development segments.
Customer payment information
Evalubox uses external secure third party payment processing and does not process, store, or transmit any payment card data.
System monitoring and alerting
At Evalubox, the product application and underlying infrastructure components are monitored 24/7/365 days a year, by dedicated monitoring systems. Critical alerts are sent to 24/7/365 on call DevOps team members and escalated appropriately to operations management.
Service levels and backups
Evalubox infrastructure utilizes many layered techniques for increasingly reliable uptime, including the use of auto-scaling, load balancing, taks queses, and rolling deployments. We do full automated backups of our databases. All backups are encrypted.
Vulnerability testing
Web application security is evaluated by the development team in sync with the applicaiton realease cycle. Vulnerability testing includes the use of commonly known web applicaiton security toolkits and scanners to identify applicaiton vulnerabilities before they are released into production.
Application architecture
The Evalubox web application is multi-tiered into logical segments (front-end, api-tier, database), each independently separated from each other in a separate account. This guarantees maximum protection and independence between layers.
Log out after 30 mins of in-activity
Evalubox web application automatically logs you out of the application after 30 minutes of inactivity within the application.