Information Security

At AtPost Portal by Amsler Labs LLC, we understand that healthcare professionals require the highest standards of data security and privacy. This page details our comprehensive security measures, compliance certifications, and commitment to protecting your information.

Encryption

Authentication & Authorization

• Secure Password Storage: Passwords hashed using bcrypt with adaptive cost factor
• Multi-Factor Authentication (MFA): TOTP-based 2FA available for all users
• Session Management: Secure, encrypted session tokens with automatic expiration
• Role-Based Access Control (RBAC): Granular permissions based on user roles
• Password Requirements: Minimum 8 characters, complexity requirements enforced
• Account Lockout: Automatic lockout after repeated failed login attempts

Network Security

• Firewall Protection: Web application firewall (WAF) filtering malicious traffic
• DDoS Mitigation: Distributed denial-of-service attack protection
• Intrusion Detection: Real-time monitoring for suspicious activity
• Rate Limiting: API rate limits to prevent abuse
• IP Whitelisting: Available for enterprise customers

Vulnerability Management

• Regular security assessments and penetration testing
• Automated vulnerability scanning
• Dependency monitoring for third-party libraries
• Prompt patching of identified vulnerabilities
• Secure software development lifecycle (SDLC)

Security Policies & Procedures

We maintain comprehensive written policies covering:

• Information security management
• Data classification and handling
• Access control and user provisioning
• Incident response and breach notification
• Business continuity and disaster recovery
• Vendor management and third-party risk

Security Governance

• Privacy Officer: Designated individual responsible for data privacy
• Security Officer: Oversees technical security measures
• Risk Assessments: Regular evaluation of security risks and controls
• Policy Reviews: Annual review and updates of security policies

Employee Training

• Security and privacy training for all employees with data access
• Security awareness training (phishing, social engineering)
• Role-specific security training
• Regular refresher training
• Acknowledgment and tracking of training completion

Background Checks

All employees with access to sensitive systems undergo:

• Background verification before employment
• Reference checks
• Signed confidentiality agreements
• Immediate access revocation upon termination

While we operate as a cloud-based service, our infrastructure providers maintain stringent physical security:

Data Center Security

• Facility Access: 24/7 monitored access with biometric authentication
• Video Surveillance: Continuous recording of all sensitive areas
• Security Personnel: On-site security staff at all data centers
• Visitor Logs: All visitors screened and escorted

Environmental Controls

• Climate Control: Temperature and humidity monitoring
• Fire Suppression: Advanced fire detection and suppression systems
• Power Redundancy: Uninterruptible power supply (UPS) and backup generators
• Network Redundancy: Multiple internet service providers (ISPs)

Workstation Security

• Device encryption on all company laptops
• Automatic screen lock after inactivity
• Mobile device management (MDM) policies
• Secure disposal of decommissioned equipment

Principle of Least Privilege

Access to data and systems is granted based on:

• Role-Based Access: Permissions tied to job functions
• Minimum Necessary: Users only access data required for their role
• Just-in-Time Access: Temporary elevated privileges when needed
• Regular Reviews: Quarterly access reviews and recertification

User Lifecycle Management

• Provisioning: Formal approval process for new accounts
• Modification: Changes tracked and approved by managers
• Deprovisioning: Immediate revocation upon termination or role change
• Dormant Accounts: Automatic deactivation after 90 days of inactivity

Administrative Access

• Privileged access management (PAM) for administrative accounts
• Multi-factor authentication required for all admin access
• Separate accounts for administrative vs. standard activities
• Session recording for privileged access
• Emergency break-glass procedures with full audit trails

What We Log

Comprehensive audit logs capture:

• Authentication Events: Login attempts, logout, password changes, MFA enrollment
• Data Access: Who accessed what data and when
• Data Modifications: Create, update, delete operations
• Administrative Actions: User provisioning, permission changes, configuration updates
• Security Events: Failed login attempts, suspicious activity, policy violations
• System Events: Application errors, performance issues, availability

Log Management

• Retention: Audit logs retained for 6+ years
• Immutability: Logs cannot be modified or deleted
• Encryption: Logs encrypted in transit and at rest
• Backup: Regular backups to geographically distributed locations
• Analysis: Automated analysis for anomaly detection

Real-Time Monitoring

• 24/7 security operations center (SOC) monitoring
• Automated alerts for suspicious activity
• Real-time threat intelligence integration
• Automated incident escalation
• Performance and availability monitoring

Incident Response Plan

We maintain a documented incident response plan with defined processes for:

• Detection: Identification of potential security incidents
• Containment: Immediate action to limit impact
• Investigation: Root cause analysis and scope determination
• Remediation: Fixes to address vulnerabilities
• Recovery: Restoration of normal operations
• Lessons Learned: Post-incident review and improvements

Breach Notification

In the event of a breach affecting sensitive data:

• User Notification: Affected users notified promptly
• Regulatory Notification: Appropriate authorities notified as required by law
• Details Provided: Nature of breach, data affected, steps taken, user actions recommended
• Credit Monitoring: Offered if financial or identification data compromised

Business Continuity

• Disaster Recovery Plan: Documented procedures for service restoration
• Regular Backups: Automated daily backups with point-in-time recovery
• Geographic Redundancy: Data replicated across multiple regions
• Recovery Time Objective (RTO): Target recovery within 4 hours
• Recovery Point Objective (RPO): Maximum 1-hour data loss
• Regular Testing: Disaster recovery drills conducted quarterly

7. Infrastructure and Service Providers

Cloud Infrastructure

Our platform is built on industry-leading cloud infrastructure:

• Supabase: Enterprise-grade database and authentication
• Vercel/AWS: Secure application hosting with global CDN
• Geographic Distribution: Services hosted across multiple availability zones
• Certifications: Our providers maintain SOC 2 and ISO 27001 compliance

Network Architecture

• Virtual Private Cloud (VPC) isolation
• Network segmentation and microsegmentation
• Private subnets for databases
• Web application firewall (WAF) at the edge
• TLS termination at load balancers

8. Compliance and Certifications

Current Compliance

Third-Party Assessments

• Annual security assessments by independent firms
• Regular penetration testing
• Vulnerability assessments and remediation
• Compliance audits

9. Report a Security Issue

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

Responsible Disclosure

When reporting security issues, please:

• Do: Report the issue privately to us first
• Do: Allow reasonable time for us to address the issue
• Do: Provide detailed information to help us reproduce
• Don't: Publicly disclose the vulnerability before we've addressed it
• Don't: Access or modify user data beyond what's necessary to demonstrate the vulnerability
• Don't: Perform actions that could harm our users or services