Last updated on 30th December 2022
Keragon is committed to providing a highly secure and reliable healthcare integration & automation platform.
To achieve this we are implementing proven technical and organizational security measures that are capable of contributing to the protection of customers’ personal data and ensuring that such data will be available when it is needed. Keragon will regularly carry out, test, review, and update all such measures.
Compliance Program
Keragon is fully compliant with HIPAA regulations in handling ePHI. We employ data minimization practices to ensure full data security. We are also in the process of passing an independent, third-party HIPAA audit and are happy to sign a BAA as needed.
Keragon is also currently working towards completing the SOC 2 Type 2 compliance, and will be annually audited by an independent, certified third-party. Our SOC 2 Security, Availability & Confidentiality Report will be available to current and prospective customers under NDA - please contact us at security@keragon.com for a copy.
Keragon also employs privacy and information security controls to meet the requirements of data protection regulations like the GDPR & CCPA. You can read more about our privacy controls here: https://www.keragon.com/legal/privacy
Hosting Environment and Physical Security
Keragon is hosted on public cloud infrastructure from Amazon Web Services (AWS). Amazon maintains high standards of security for their data centers. Keragon uses AWS data centers that are SOC 1, SOC 2 and ISO/IEC 27001 certified in the US East regions.
You can read further about AWS security here: https://aws.amazon.com/security
Vulnerability and Penetration Testing
Keragon conducts regular internal vulnerability testing.
Keragon also hires a qualified external company to conduct a regular platform level vulnerability and penetration test. The results are analyzed and vulnerabilities are addressed based on risk and severity. Our test reports are available to current and prospective customers under NDA - please contact us at security@keragon.com for a copy.
Network Security
The Keragon website is only accessible over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Keragon follows current best practices for security, including the use of strong encryption algorithms with a key length of at least 128 bits.
Keragon also uses the secure HTTPS protocol for communication with third-party systems.
Authentication
Clients login to Keragon using a password which is known only to them. Password length, complexity and expiration standards are enforced. Passwords are not stored; instead, as is standard practice, only a secure hash of the password is stored in the database and hence no passwords can be recovered by Keragon staff.
When using a Google Account to access Keragon, no user credentials are stored by Keragon, with the identity assertions signed and verified. Optional Two-Factor Authentication (2FA/MFA) support is available for an additional layer of protection of your account.
When Keragon workflows connect to remote systems using user-supplied credentials, where possible this is done using OAuth2, and in those cases, no credentials need to be stored in the Keragon system. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key.
Keragon’s best practice recommendation is for customers to use an integration specific user identity (ISU) with appropriate entitlements/scopes for connection authentication for applications that are part of the workflows.
Encryption
All Keragon data and communications are encrypted both at rest and in transit using industry best practices.
Data Storage & Retention
Keragon stores only the data we need to - that which is required for accessing your account, connecting with your different third party tools, and debugging workflows.
For personal account information, we store any personal details such as your name and email address, that you provide when creating a Keragon account for as long as your account is active. At any time you can request your account be deleted and this data will be deleted from our systems.
For connecting to different third party tools on your behalf, we will often require you to provide authentication to these 3rd party services in the form of access tokens (including from the result of OAuth2 authentication flow) or username/password credentials. This sensitive authentication data is encrypted at rest in our databases, using strong 256 bit encryption, and will be removed if you delete the authentication in question or your Keragon account. All sensitive authentication data is obfuscated when passed through workflow execution state and logs.
For workflows, we store a log of transactions for a limited period of time, in order to provide visibility into system activity, facilitate testing and debugging, allow the re-running of failed transactions, and to support long running transactions. The maximum retention period varies and can be configured. If desired, zero retention can be configured, in which case data will be held only temporarily in memory during processing. Keragon provides the capability (an optional add-on feature) to stream transaction logs and audit history to an external customer provided HTTPS endpoint for longer-term retention and/or analysis.
Audit Trail
We use various technologies to provide an audit trail over our infrastructure and the Keragon platform. Auditing allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.
Privacy And Confidentiality
No Keragon staff will access your data unless required for support reasons. When working on a support issue to assist with a workflow, we only access the minimum data needed to resolve your issue while respecting your privacy. Access to data is restricted by job function and monitored.
Keragon also has a public privacy policy, which details the types of personal information we collect, our handling of this information, and our customers’ privacy rights.
Application Development and Testing
Keragon has a comprehensive software development lifecycle process that incorporates security and privacy considerations. Design and code reviews, as well as unit and integration testing, are part of the process.
Development staff receive regular training on secure development principles.
Our configuration and change management processes are documented and audited as part of our SOC 2 certification.
High Availability
Keragon is designed to offer high availability and resilience to service disruption. Technical measures used to ensure high availability include running Keragon services in redundant clusters, utilizing multiple redundant cloud Availability Zones, and continuous replication of the application database to a standby system.
Keragon has implemented a Business Continuity and Disaster Recovery program. This program includes not just measures to ensure the high availability of Keragon’s IT assets, but also contingency planning for natural disasters and other possible disruptions.
Keragon also stores regular daily backups of all important information. These backups are encrypted and stored for a maximum of 14 days before they are removed.
Incident Response
Keragon has deployed a variety of security and monitoring tools for its production systems. There is 24x7 monitoring of the security status of its systems and automated alerts are configured for security and performance issues.
While we don't anticipate there being a breach of our systems, Keragon has put in place a Security Incident Response Plan, which details roles, responsibilities and procedures in case of an actual or suspected security incident.
In the event of a confirmed data breach (unauthorized access, misuse, accidental loss, or destruction of Customer Data) Keragon will provide written notification to the Customer without undue delay of becoming aware of the incident.
The notice will contain the date and time, nature, the extent of the incident, the measures taken to remediate and prevent the occurrence of a similar incident.
Keragon will provide the information required by the Customer in order to fulfill its data breach reporting obligations under and in accordance with the timescales required by applicable data protection laws and regulations.
Personnel Security
All employees are subject to background checks, to the extent permitted by local law. Employment at Keragon requires written acknowledgement by employees of their roles and responsibilities with respect to protecting customer data and privacy.
Keragon applies to the principle of least privilege for access. All access and authorization rights are reviewed regularly. Access or authorization rights will be withdrawn or modified, as appropriate, promptly upon termination or change of role.
We enforce the use of SSO or 2FA on all systems with access to customer data and maintain strict access policies to ensure the principle of least privileged is adhered to. An industry-leading password manager is used internally where passwords are necessary.
Keragon employees use a workstation that adheres to Keragon's security policy, which includes device encryption, password complexity, automatic screen lock, up-to-date endpoint detection and response or anti-virus software.
Keragon maintains an information security training program that is mandatory for all employees during onboarding and at least annually.
Payment Details
Keragon does not store payment information on our servers - we use the payment processor Stripe, which is certified to PCI Service Provider Level 1, the most stringent level of certification available.
You can read further about Stripe’s security here: https://stripe.com/docs/security
Responsible Disclosure
Keragon welcomes reports of vulnerabilities or other security issues.
We strive to keep Keragon safe and secure for everyone. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner. We will work with you to assess and understand the scope of the issue and fully address any concerns. Emails are directly sent to our engineering staff to ensure that issues are addressed rapidly. Any security emails are treated with the highest priority as the safety and security of our service is our primary concern.
Vulnerability reports will be acknowledged and reporters kept apprised of their report’s status.
Need to report a security vulnerability?
Please email us directly at security@keragon.com
Vulnerabilities, as defined by industry standards, shall be remediated within a reasonable risk-based timeframe or identified as a residual risk where the action(s) should be taken to remediate as soon as possible.
Questions?
If you have questions regarding a specific policy or general inquiries regarding security, please contact us at security@keragon.com
CHANGELOG
v1.0 - Public version of Keragon’s Security Statement - 30th Dec 2022