At MedTrainer, security is integral to our product.

Our engineering team constantly conducts risk assessments, aggressively tests the security of our products, and continually assesses our infrastructure. Your organization’s data security is mission-critical, and we take our commitment to protecting it extremely seriously.

Data

Data Encryption

  • Data in Transit
    Data transferred between the user’s browser and MedTrainer’s servers is encrypted in transit. MedTrainer uses TLS v1.2.
    Data transferred between the different infrastructure components of the MedTrainer application are encrypted. This includes communication with external services like email API, and HR integrations.
  • Data at Rest
    Data is encrypted at rest: all cloud storage and database tables are encrypted.

Data Center Security

  • Data Center Provider
    MedTrainer uses Microsoft Azure and AWS as cloud providers for its production servers, databases, and supporting services (firewall, gateways, storage, etc.).
    MedTrainer only uses U.S. locations with its cloud providers (mainly U.S. West locations).

Data Availability

  • Availability
    In the last 3 years, the application SLA has been greater than 99.95%.
  • Redundancy
    MedTrainer has multiple instances for each production service to support a high load of traffic and to provide redundancy in the case of contingency.
  • Backups
    MedTrainer’s production data is backed up daily and tested every quarter.

Product

Authentication Control

MedTrainer allows customers to choose two different authentication options, user/password, and multiple single sign-on options with the most common enterprise solutions such as Active Directory, Google Suite, ADP, and more.

Access Permissions

With granular access control in MedTrainer, admins can provide limited-access permissions to certain modules.

Application

Software Development

  • Access Controls
    Access to MedTrainer’s development systems is limited based on our employee roles and responsibilities. The principle of least privilege is enforced, meaning our employees are given access on a need-to-know basis, specific to their job responsibilities.
  • Quality Control
    All changes to our application are subject to peer review, automatic review, manual testing, and automated testing before being available to our users.
  • Multiple Stage Environments
    MedTrainer maintains segregated testing, development, and production environments for our development process.

Vulnerability Management

  • Penetration Testing
    MedTrainer uses third parties to conduct penetration tests to identify deficiencies in the system that may affect critical assets.
  • Vulnerability Scanning
    MedTrainer uses third-party security tools to continuously scan our applications, systems, and infrastructure for security risks and vulnerabilities.
  • Code Analysis
    MedTrainer’s code repositories are regularly scanned for security issues which include the used dependencies and static code analysis.

Security Awareness

  • Policies
    MedTrainer maintains a robust set of security policies that are updated periodically to meet the demand of an ever-evolving security environment. Policies are communicated to MedTrainer employees and are available for review at any time.
  • Training
    All MedTrainer employees are required to complete security training. MedTrainer’s security team provides continuous education on emerging security threats, and communicates updates with employees regularly.

Compliance

MedTrainer adheres to and follows SOC/Type 2 guidelines. We are in the process of obtaining our accreditation and will do so in 2024.

Cyber Security Insurance

MedTrainer uses commercially reasonable efforts to prevent data breaches and cyber security issues within customer accounts. In the event that there is a breach, MedTrainer maintains the following insurance limits to assist with remedying any fault found as a cause due to MedTrainer’s gross negligence: 2M Occurrence / 2M Aggregate.

Security policies and processes that can be provided upon request:

  • External Security Testing
    • Database Vulnerability
    • Software Analysis
    • Software Penetration & Network
  • Access Control Policy
  • Personnel Security Policy
  • Password Management Policy
  • Cryptographic Control Policy
  • Risk Management and Procedures Policy
  • Application Configuration, Change, Maintenance and Release Management Policy
  • Configuration Management for Cloud Infrastructure Procedures Policy
  • Data Classification, Handling and Retention Policy
  • Security Engineering Policy
  • Security Hardening Guidelines
  • Device Hardening and Patch Management Policy
  • Cyber Threat Information
  • Management Policy
  • Source Code Management Policy
  • Supplier Security Policy
  • Supplier Security Questionnaire
  • Incident Response Plan
  • Business Continuity Plan
  • Business Impact Analysis
  • Third Party Risk Management