Last revision: 02.06.2020.
Data Security Policy in Brief
This Data Security Policy specifies details about how Myworkout handles customer data, employee PII, intellectual property and other sensitive information.
Our data centers, managed by Amazon Web Services (“AWS”), are SAS 70 Type II Certified, SSAE16 (“SOC 2”)/HIPAA/HITRUST Compliant, and feature proximity security badge access and digital security video surveillance. All of our customers private data is stored within our Virtual Private Cloud. All access to our web services are secured over HTTPS using at least TLSv1.2 cryptographic protocols with AES128/AES-256 and personal data is encrypted at rest using AES-256. We perform annual OWASP audits and employ security practices in a continuous process for development.
Data Center and Hardware
All Myworkout application and database servers are physically managed by AWS in secure data centers in the “eu-west-1” region. Our security procedures utilize industry best practices from sources including The Center for Internet Security , Microsoft, Red Hat and more. All data center facilities are certified SOC 2/HIPAA/HITRUST Compliant and have 24/7 physical security of data centers and Network Operations Center monitoring. A complete listing of compliances can be found here: https://aws.amazon.com/compliance/programs/.
AWS manages the physical access to the data centers. They control both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Myworkout employees do not have access to physical server hardware that holds PII.
Data Access and Server Management Security
Myworkout has a combination of firewall and authentication rules for accessing our hosting environment. All data access is through encrypted channels and server access on public networks requires a VPN connection to our main office. Only select Myworkout employees are able to directly access our servers.
All AWS data centers are equipped with automatic fire detection and suppression (either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems), climate and temperature controls, fully redundant uninterruptible power supplies , and generators to provide back-up power for each physical site.
Data Storage and Backups
All User Data stored in our Myworkout GO system is encrypted at rest using AES-256 encryption. Any identifiable data within the Myworkout GO system is stored in a separate and secured database (managed through AWS RDS) or on AWS S3. Myworkout maintains numerous full backups of all User Data. These backups are stored in a geographically and logically separated environment.
User Data Policies
User data includes data stored by Users in Myworkout applications, information about a User’s usage of the application, data instances in the Customer Relationship Management system to which we have access, or data that the User has supplied to us for support or implementation. When managing User Data, we take into account the following considerations:
- User Data is not to be disclosed outside of Myworkout, except to the User who owns the data or to a partner who has been contracted by the User to manage or support their account.
- User Data should only be shared using secure transmission methods and protocols. Approved transmission methods include the Myworkout Support Portal, emailing of encrypted files, or use of a User-provided secure transfer method.
- User Data must never be stored outside of the Myworkout system unless required for a specific need and with executive level approval. If there is a need to archive User Data (for example, data provided by a User during implementation or training), the data should be stored on a central file server in a secure manner and deleted from any personal computers immediately. This need includes report exports, contact lists, presentations that contain User information, and User agreements.
- User Data should only be accessed on a need-to-know basis. Specifically, a User’s account should only be accessed to provide support, troubleshoot a problem with that account, or for supporting the system as a whole.
- User Data should never be changed without the explicit permission of the User, except for the need to address and repair data quality issues.
Destruction of Server Data
User data is deleted, anonymised or de-identified within 14 days after the user has requested to delete the account. Our data backup policies adhere to this requirements and our data backups are kept for 14 days before those backups are automatically destroyed.
Disposal of Computers and Other Data
Old computers and servers used to store or access Client information receive a 7-pass erase that meets the NIST 800-88 standard for erasing magnetic media; the devices are then recycled or resold. Paper information containing personal data in the office is discarded using a document shredder. Myworkout also adheres to a clear desk/clear screen policy.
Myworkout security administrators will be immediately and automatically notified via e-mail or Slack if implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within one (1) hour.
Once an incident is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals:
- Maintain or restore business continuity
- Reduce the incident impact
- Determine how the attack was performed or the incident happened
- Develop a plan to improve security and prevent future attacks or incidents
- Keep management informed of the situation and prosecute any illegal activity
Determining the Extent of an Incident
Security administrators will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses and interviewing the incident victim to determine how the incident was caused. Only authorized personnel will perform interviews or examine evidence, and the authorized personnel may vary by situation.
Notifying Clients of an Incident
Clients will be notified via email within 24 hours upon detection and confirmation of any incident that compromises access to the service, compromises data, or otherwise affects Users. Clients will receive a status update upon incident resolution.
All data transfer and access to Myworkout applications will occur only on Port 443 over an HTTPS connection using at least TLSv1.2 cryptographic protocols with preferred AES-256 encryption. In order to ensure client compatibility we allow for AES-128 to be used for systems where AES-256 is not available.
We annually audit and review our SSL certificate configuration by a service from SSL Labs to make sure our configurations reach a minimum of grade A.
Our software architecture is container-based which ensures that our applications runs in isolation. This effectively limits the attack surface if one application is compromised.
System Updates and Security Patches
As a hosted SaaS solution, we regularly improve our system and update security patches. Since our services are container-based, it’s easy to upgrade our systems to the latest versions and security patches on an OS and application server level. Non-critical system updates will be installed at predetermined times. Critical application updates are performed ad hoc using rolling deployment to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.
Vulnerability and Security Testing
Myworkout practices data privacy by design and default and security tests are part of our automated test-suites. In addition we perform annual OWASP audits and perform AWS Inspector Vulnerability Assessments of our server environment bi-weekly. Code that is added to our applications and services are manually reviewed by other colleagues and automatically analyzed from third party code quality testing software.
User Login and Session Security
Users are not able to directly login to Myworkout’s application. All Users logins and sessions are authenticated via a secure OAuth 2.0 access token.
Application Password Management
All Myworkout employees get training in password security and we use vetted password security software that manages passwords and helps ensure that they are unique and rotated when needed (e.g. using 1Password WatchTower to detect reused or compromised sites/passwords). For our Myworkout GO system we require all users passwords to be minimum 8 characters long and the password is checked against lists of common and leaked passwords (and rejected if found to be insecure).
Personal Data Risk Handling
All Myworkout staff members are made aware of relevant external regulations as part of their onboarding and training process. Confidentiality agreements are entered into with all employees.
We restrict Myworkout employee access to personal data based on the assessed risk level and a need to know basis.
Where anonymization is not possible (e.g. for technical reasons, where a product problem can only be recreated using PHI, such as investigating a problem on a User’s device), access to the data is restricted and the data is destroyed or returned to the User as soon as it is no longer needed. Under no circumstances should identified data be added to the company dataset library. Any identifiable data within the Myworkout GO system is stored in a separate and secured database.
The processing of personal data is limited to the minimum required to deliver the service to our customers. We conduct DPIAs for each processing purpose that is likely to entail high risk, especially data that falls under special categories of data according to GDPR.
Myworkout expects a high standard of professional integrity from our collaborators, clients, and partners and requires that they process personal data according to GDPR or applicable privacy framework such as EU-US Privacy Shield.
This Data Security Policy was last updated on June 2, 2020.