Information security
Governance and compliance
The continued security and privacy of the data stored on the Full Health Medical platform is our top priority.
Our robust governance framework is based on compliance and regulatory requirements and industry best practice. Our security controls are certified to the ISO/IEC 27001:2017 standard and regularly audited by independent third-parties.
To meet your legal requirements for data protection, data is solely domiciled within the EU at Amazon Web Services' (AWS) secure data centres in the Dublin, EU region.
Our system is compliant with the European and UK General Data Protection Regulation (EU/UK GDPR) frameworks for the collection and use of personal data
Infrastructure
The Full Health Medical platform is hosted, within the EU at Amazon Web Services' (AWS) secure data centres in the Dublin, EU region. Data is encrypted at rest using an industry-standard AES-256 algorithm.
The Amazon Web Services data centres are accredited to SAS 70 Type II, SSAE 16 and ISO 27001:2013. For more information including physical security, environmental safeguards, network, data, and system security see: https://aws.amazon.com/security.
Customer data is backed up hourly and can be used to recover from local disasters or unexpected circumstances impacting the availability or integrity of the primary copy. Backups are securely stored within the Amazon Web Services infrastructure across multiple locations and designed to offer 99.999999999% durability, 99.99% availability and can sustain the concurrent loss of data in two facilities.
Application security
The Full Health Medical platform provides a number of security safeguards at the application level to protect your data.
All web traffic between the user’s browser and our application is encrypted in-transit with TLS v1.2 standard (128-bit or 256-bit encryption depending on browser).
Access to our application servers is protected by limiting the IP addresses that engineers originate from, who must also use multiple factors of authentication to log in. Customer administrators can also elect to restrict access to their provider portal by IP address.
When accessing the platform users’ sessions are automatically timed out after a period of inactivity. After this time, the user is required to log in again to access the application. This significantly reduces the risk of the session being hijacked by a following user on the same device.
Software development
The Full Health Medical engineering team follows a rigorous and audited secure software delivery lifecycle methodology.
All software tasks no matter the rank of the developer follow a peer code review, a data protection impact assessment and are tested in a representative test environment before being promoted to the live operational system.
Robust monitoring facilities are in place to ensure that engineers are alerted in real time of system errors affecting the application or underlying infrastructure.
The security of the platform is independently penetration tested annually. Findings from each assessment are reviewed with the assessors, risk ranked, and assigned to the responsible team for rapid resolution.