Data encryption is used to ensure data remains secure during transit (in flight) and storage (at rest) providing End-to-end encryption. Data between our Mobile / Web Apps are secured by A-rated SSL certificates and All network traffic is encrypted using Transport layer Security (TLS) (see reports: Web App, API). Data is held encrypted at rest in an Amazon Web Services (AWS) Virtual Private Cloud (VPC) with dedicated firewalls which only grants access to our API servers via VPC Peering (see Network Security). Data within the database is encrypted to industry-standard AES-256 encryption with additional database-level encryption via the WiredTiger Encrypted Storage Engine (read more).
Telehealth utilises peer-to-peer encrypted WebRTC technology which secure by design. To enable the best possible user experience and to ensure connectivity even through networked and fire-walled computers Network Address Translation-Traversal (NAT) Services are required. To perform low-latency and reliable connections Session Traversal Utilities for NAT (STUN) and Traversal Using Relay NAT (TURN) services are required (read more about STUN/TURN). Rehab Guru use two secure telehealth services, Jitsi and Twilio to perform these tasks. Both services ensure that data remains encrypted using DTLS-SRTP. More information on Jitsi and Twilio can be found on our third-party security section and sub-processor page.
Rehab Guru carefully vet and select only vendors which conform to our stringent security standards. A full list of sub-processors and services third parties Rehab Guru uses can be found on the sub-processor page where we have listed all the services that we use to deliver Rehab Guru and why we have chosen them. Decision factors for our selection of third parties includes:
ISO 27001 Certification, SOC Data Security, GDPR compliance, EU-US Privacy Shield, HIPAA compliance, Reputation, Location, network security,
Rehab Guru does not store any payment details of customers. All our billing and management providers (Chargebee, Braintree) are validated Level 1 PCI DSS. You can read more about Braintree and Chargebee in our third-party security section and sub-processor page.
Database backups are performed hourly with additional daily snapshots Database backups are held in a different data centre to the database cluster, however within the same region (London, UK unless specified in your Enterprise Plan). Backups remain encrypted while stored and can only be read only if restored using a secure Encryption Key. All encryption keys are managed by our Key management policy in accordance with industry security best practice. Data centres are also secure (see third party security - AWS).
Our software engineering team are all vetted, trained and follow processes to ensure the software they build is secure. A stringent code review and Quality Assurance (QA) process is undertaken in development and staging environments (which replicate our production environment) to ensure all unit, integration and security tests pass before production deployment. No customer data is utilised using the development process and developers do not have access to customer (live) data at any stage in the development cycle. Our development team are given security and awareness training, sign confidentiality agreements during their on-boarding and routinely attend security continued professional development (CPD) sessions to ensure they stay up to date on the latest security information in the wider industry.
All information sub-processors that Rehab Guru choose are ISO/IEC 27001:2013 certified. This specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. Rehab Guru transmits and stores all data in an encrypted state.
We adopt a layered approach to network security. Access controls exist on each layer via explicit whitelisting to allow communication (all communication is blocked by default and only permitted if it is required). All network traffic is encrypted by default (see Data Encryption). Network level protection is provided against App Vulnerability attacks, layer 3 and layer 4 DDoS attacks. DNSSEC, SSL/TLS encryption, web application firewall and rate-limiting are all implemented as well as OWASP Top 10 protection and testing (see Cloudflare).
