All data sent to and from our platform is encrypted in-transit and encrypted at rest. See our SSL Labs score. All media between the client and server use standard protocols (DTLS/SRTP) encrypted with 256 bit AES.TLS encryption is used for inbound and outbound email.

On top of all the controls that protect the confidentiality, integrity and availability of PHI, we have BAAs in place with third parties and subcontractors who have access to PHI.

Access to patient data is severely restricted, and any person or party that (potentially) has access to patient data is bound by confidentiality agreements.

Physitrack runs physically isolated platforms in different data centers around the world to avoid leaking data outside jurisdictions as much as reasonably possible.

• Every year, we hire an accredited third party to perform grey box penetration tests on our platform. This includes testing for vulnerabilities against OWASP-threats
  
• Every week, an independent third party scans our platform for known vulnerabilities.
  Any uncovered vulnerability is prioritised, resolved and deployed as soon as possible following discovery.

• Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorised access is performed using:
  ‍
  - a virtual private cloud (VPC);
  - a bastion host or VPN with network access control lists (ACL’s) and no public IP addresses;
  - a firewall that monitors and controls incoming and outgoing network traffic;
  - IP address filtering.

Our infrastructure is hosted inside AWS. Physical and environmental security related controls for our servers, which includes buildings, locks or keys used on doors, are managed by AWS:“Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff. Authorised staff must pass two-factor authentication a minimum of two times to access data center floors."

Your privacy is of utmost importance to us. As part of our commitment to safeguarding your data, we do not store any bank or credit card information on our servers. Instead, we rely on PCI-DSS-certified third-party payment services to handle all transactions. They are industry leaders in payment security and compliance, ensuring that your payment information is processed securely and efficiently.
For payment processing, we utilise the following trusted services:

• Adyen is a leading payment service known for its advanced technology and compliance with PCI-DSS standards. You can review their privacy practices on their privacy policy page.
• Stripe is a globally recognised payment platform known for its robust security measures and compliance with PCI-DSS standards. You can learn more about their privacy practices by visiting their privacy policy page.
• GoCardless specialises in direct debit payments and adheres to the highest security standards. Detailed information about their data protection and privacy policies can be found on their privacy policy page.
• Chargebee offers a comprehensive subscription billing platform with robust security protocols. Please refer to their privacy policy for more details on how Chargebee handles your data.

Our commitment to your data security is further strengthened by our partnerships with these reputable trusted services. Together, we implement a comprehensive array of security measures, ensuring that your financial information is managed with the utmost care and security.

We use industry-best practice development processes both for our applications and our infrastructure.Code is under version control (Git), and features/fixes are developed in separate branches.Before being reviewed by a peer, code has to pass thousands of automated tests and is scanned for known security issues. The fix/feature is then manually tested (QA) and merged to the master code branch.We have separate testing, staging and production environments.