- 256-bit AES-encrypted signaling and media stream
- Connections to web app and API through HTTPS only, using TSL 1.2 encryption for in-transit encryption, and TSL 1.0 encryption for older browsers that do not support TLS 1.2. (See our Qualys SSL Labs Report here.)
- 128-bit AES-encrypted full database encryption using BitLocker
- PHI encrypted at rest using AES-256.
- Dedicated data center cage with biometric security, with no reliance on third parties for any routine network maintenance or management
- Each session participant has his/her own individual session access code, which provides granular access and auditability
- Auditing of all system logins and actions by IP addresses and user agents
- No passwords stored on our system; we store salted one-way password hashes only
- Notifications sent from our system, such as invites, notifications, and reminders, never include any PHI
- For additional PCI compliance, no credit cards are stored on our system, nor does any credit card information pass through our system in unencrypted form; all credit card information is vaulted at our PCI-compliant merchant gateway
- VSee integration: our media streams run point-to-point by default, instead of through a relay, which results in the videoconferencing streams not transiting our infrastructure in the vast majority of technical scenarios. We do use a secure relay when necessary, as in the case of multiple Network Address Translation (NAT) devices situated between the endpoints.
- Zoom integration: our media streams run point-to-point in one-to-one calls, during which the videoconferencing streams not transiting our infrastructure unless a relay is required. Group calls are still encrypted end to end.
Business Associate Agreement
Because our system was built from the ground up to be HIPAA compliant, we will provide a signed Business Associate Agreement for all customers that have signed up for a non-trial account.