Data Security at MAPflow

At MAPflow, protecting your personal health information is our highest priority. We understand the sensitive nature of patient data and have implemented comprehensive security measures that meet or exceed industry standards for healthcare data protection.

‍

Our Security Commitment

We adhere to the following principles in safeguarding your data:

• Privacy by Design: Security measures are built into every aspect of our systems from ideation to launch.
• Defence in Depth: We implement multiple layers of security controls to ensure that if one layer fails, others remain intact.
• Continuous Monitoring: Our systems are monitored 24/7 for potential security threats.
• Regular Testing: We conduct periodic security assessments to identify and address vulnerabilities.

‍

‍

‍

‍

Infrastructure Security

MAPflow uses Duplo for DevOps, embedding advanced compliance and security features into our infrastructure including:

• Multi-layer Firewall Protection: Advanced firewall systems to prevent unauthorized access.
• Network Segmentation: Strict separation between different parts of our infrastructure.
• Secure Cloud Environment: Our infrastructure is hosted in SOC 2 compliant data centres with physical security measures.
• Redundant Systems: Critical components have backup systems to ensure continuous operation.
• Automated Compliance Controls: Our DevSecOps approach automates over 90% of compliance controls.
• Codified Infrastructure: Secure and consistent cloud infrastructure configuration using infrastructure as code.
• Regular System Updates: Consistent patch management to address security vulnerabilities promptly.

‍

Data Protection

• End-to-End Encryption: All patient data is protected with strong encryption both in transit and at rest.
• Data in Transit: All data transmitted between your device and our servers is protected using TLS 1.3 encryption protocols.
• Data at Rest: Patient information stored in our databases is encrypted using AES-256 encryption, the same standard used by financial institutions.
• Regular Security Audits: We conduct vulnerability assessments to identify and address potential issues.
• Continuous Monitoring: Our systems actively monitor for unauthorized access attempts.
• Regular Data Backup: Your data is regularly backed up with strict access controls.
• Disaster Recovery Testing: We periodically test our recovery procedures to ensure data availability.

‍

Access Controls

• Role-Based Access: Our staff members only have access to the specific information necessary for their job functions.
• Multi-Factor Authentication (MFA): We require MFA for all staff accounts with access to patient data.
• Strong Password Policies: We enforce complex password requirements and regular password changes.
• Automatic Timeout: Inactive sessions are automatically logged out after a period of inactivity.
• Authentication Protocols: Advanced authentication systems protect against unauthorized access.

‍

‍

Compliance Framework

MAPflow is committed to maintaining compliance with personal health data protection regulations:

• SOC 2 Certification Process: We are in the process of achieving SOC 2 Type II certification.
• PIPEDA Compliant: MAPflow is fully compliant with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requirements.
• PHIPA Compliant: We are fully compliant with Ontario's Personal Health Information Protection Act (PHIPA), ensuring the highest standards for personal health information protection.
• Provincial Health Privacy Laws: We comply with additional provincial health information protection legislation (such as Alberta's HIA and BC's PIPA).
• International Standards: Our security practices align with ISO 27001 information security management standards.
• Regular Updates: We maintain compliance with evolving regulations through continuous monitoring and adaptation.
• Documentation: All compliance procedures and controls are thoroughly documented.

‍

Development Security

• Secure Code Review: Our development process includes rigorous code reviews for security issues.
• Regular Penetration Testing: We conduct simulated attacks to identify potential vulnerabilities.
• Automated Security Scanning: Our codebase is regularly scanned for security issues.
• Version Control: All code changes are tracked and reviewed before deployment.
• Secure Development Lifecycle: Security is integrated throughout our development process.
• Change Management: We have a structured process for implementing and documenting changes.

‍

Team Security Culture

Our security-first approach is embedded in our company culture through:

• Mandatory Security Training: All team members receive comprehensive security training.
• Security Awareness Programs: Regular updates on the latest security threats and best practices.
• Confidentiality Agreements: All staff members sign confidentiality agreements regarding patient data.
• Clear Incident Response Procedures: Defined protocols for addressing security incidents.
• Documented Security Policies: Comprehensive policies governing the handling of patient information.
• Continuous Professional Development: Ongoing training and education in security best practices.

‍

Incident Response

In the unlikely event of a security incident, we have a robust response plan in place:

• Rapid Response Team: A dedicated team is ready to respond immediately to any potential security incidents.
• Notification Procedures: We will promptly notify affected individuals in accordance with applicable laws.
• Continuous Improvement: We analyze all security events to strengthen our systems against future threats.
• Clear Communication Channels: Transparent communication about security incidents.
• Comprehensive Diagnostics: Our cloud health monitoring systems keep us informed of cyber security threats.

‍