SOC 2 and HIPAA Compliance

SeamlessDocs is SOC 2 Type 1 certified as well as HIPAA compliant.

Our SOC 2 audit was conducted by A-Lign Cybersecurity and Compliance Firm and found that SeamlessDocs meets the applicable Trust Services Principles criteria with no exceptions listed. The audit provides a thorough review of how SeamlessDocs' internal controls affect the security, confidentiality and availability of the systems it uses to process users’ data, and the confidentiality of the information processed by these systems.

Our compliance with HIPAA is now available after completing the curriculum set forth by Accountable, a complete HIPAA compliance management platform. Accountable's five step compliance process involves completion of an annual security risk assessment, HIPAA training of employees, adoption of privacy and security policies, assignment of a designated privacy officer, and execution of all required business associate agreements.

Protection

Data Encryption

We encrypt data in transit to users using a standard SSL/TLS certificate. This prevents intermediate attackers from intercepting user data. All user data is stored in a SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified Amazon AWS Datacenter. We also encrypt data at rest in both primary databases and all backup data snapshots using industry standard AES-256 encryption. This prevents access to user data by any attacker who might somehow still gain access to Amazon’s highly secured datacenters.

Physical Infrastructure and Security

Our hosting provider Amazon Web Services (AWS) adheres to the strictest data protection certifications. AWS allows us to be fully scalable as your workloads evolve, and features robust security components such as disaster recovery, data storage, and data backup capabilities.

More information regarding our highly reliable AWS infrastructure and its certifications can be found here. Amazon datacenters have extremely robust physical security systems in place to protect your data. You can read the AWS Whitepaper here.

Who has access to your information?

SeamlessGov takes customer data security and privacy seriously. Access to your user data is restricted to the following parties:

1) Your own registered users on your account, corresponding to their assigned customer data and with assigned permissions.

2) SeamlessGov Success Managers, only to the extent necessary and authorized by you, to service your account.

3) SeamlessGov corporate officers, to the extent required by law or to service your account.

4) SeamlessGov Engineers. Only the CTO (and in emergencies, SREs) have access to customer data to the minimal extent necessary and required to carry out their employment duties, such as operating, administering, or debugging the product.

5) Third-party contractors, to the extent they produce product components or service your account on our behalf.

SeamlessGov employees and contractors handling customer data are required to complete necessary requirements (i.e. training) in accordance with the policies specified in the company’s Code of Conduct. This document outlines SeamlessGov’s expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors. The SeamlessGov Code of Conduct is available upon request.

Authentication

We support password-based, SAML, and AD Authentication. Multifactor authentication is not supported out of the box, but is available with implementation. Our API uses a key-based authentication mechanism. ‍All user sessions are timed out automatically, and all authentication data is encrypted. All passwords are hashed and salted using industry-standard bcrypt.

Policies and Procedures

Backing Up Your Data

We host our databases on Amazon RDS (Relational Database Service). The database constantly retains an up-to-date, encrypted copy of your data. Complete snapshots are made daily, and point-in-time restoration of data is generally possible to within 10 minutes.

Data copies are encrypted, and stored in the Amazon US West datacenters. All data is stored in the US. You can learn more about security measures for AWS datacenters here.

Legal Hold Request Process

We will respond to legal requests in a timely manner, based on the extent, scope, and urgency of each individual request. We will retain information pertaining to a legal hold in a separate database for integrity.

Disaster Recovery Process

The likelihood of a datacenter outage is extremely small. However, in the case of a disaster-related datacenter failure, we maintain backups of our code and databases and can re-deploy SeamlessGov as soon as possible, given the extent of the present incident, and assuming hosting services are restored after the disaster.

Data Corruption/Breach Management

Because of our infrastructure, data corruption is highly unlikely. In the event of data corruption, SeamlessGov will offer remediation as per our

Terms of Service.

In the unlikely event of a breach we will issue a full lockdown of services while we investigate the source and scope. We will notify our customers within 24 hours via e-mail providing relevant details, and will continue to send regular updates as new information is obtained.

Disposing of Failed Data Storage Devices and End-of-Life Hardware

Amazon AWS manages all hardware. When a storage device has reached the end of its useful life or fails to securely store data, AWS initiates a decommissioning process that ensures customer data are not exposed to unauthorized individuals.

AWS uses the techniques detailed in DoD 5220.22-­‐M (“National Industrial Security Program Operating Manual“) or NIST 800-­‐88 (“Guidelines for Media Sanitation”) to destroy data, as part of the decommissioning process.

High Standard of Performance and Security

SLA Uptime

Our SLA (Service Level Agreement) for uptime is 99.9%. We ensure minimal downtime, amounting to less than nine hours per year, and if we fail to deliver, remediation is available as per our

Terms of Service.

Privacy

We take the security of your data very seriously. Learn more about how SeamlessDocs protects your data.

HIPAA

Our compliance with HIPAA is now available after completing the curriculum set forth by Accountable, a complete HIPAA compliance management platform. Accountable's five step compliance process involves completion of an annual security risk assessment, HIPAA training of employees, adoption of privacy and security policies, assignment of a designated privacy officer, and execution of all required business associate agreements.

SOC2

SeamlessDocs is SOC 2 Type 1 compliant. Our SOC 2 audit was conducted by A-Lign Cybersecurity and Compliance Firm and found that SeamlessDocs meets the applicable Trust Services Principles criteria with no exceptions listed. The audit provides a thorough review of how SeamlessDocs' internal controls affect the security, confidentiality and availability of the systems it uses to process users’ data, and the confidentiality of the information processed by these systems.

INTERESTED IN LEARNING MORE?

Contact us for additional information regarding how we safeguard your data.

HAVE A CONCERN? SOMETHING TO REPORT?

At SeamlessDocs, we hold our employees, partners and vendors to the highest standards of conduct and we welcome any reports of abuse or misuse of the platform, unethical behavior and security incidents of any type. To file a confidential report, please email your concern to: ethics@seamlessdocs.com

Terms of Service

Did this answer your question?