guest post by brian doherty, chief technology officer at cronometer
Here at Cronometer, we pride ourselves on our data security. You trust us with your health data and we take that seriously. Not only do we comply with, but we go above and beyond the security measures that are required of us.
Cronometer is cloud based, communicating with millions of users over the web and mobile apps. How do we do this while maintaining the security of your data?
Security is built into the pillars of our company values and we adhere to 3 basic principles:
- Encrypt everything (in transit and at rest)
- Grant least access/privileges to information that allows the work to continue
- Maintaining industry best practices, employing set standards where possible (HIPAA, GDPR, etc)
Encrypt Everything
All traffic from your mobile app or browser to Cronometer’s servers is encrypted.
All data internally from our load balancers to our web servers is encrypted.
All data internally from our web servers to our other tiers, databases, etc is encrypted.
All admin access to our systems is encrypted.
Any requests to non-encrytped web pages are automatically redirected to their encrypted counterparts.
All user passwords are encrypted, and never stored cleartext (hashed and salted).
Our blog server is encrypted.
Least Privileges
Users are only granted access to their information
Any access granted to other parties is completely in the control of the user via the profile page. (inviting friends, signing up to studies, signing up to Pro’s, etc)
Any data sharing, for opt-in studies, or Pro accounts, is via encrypted channels
Industry Best Practices
Cronometer was born in and was built for the cloud.
We are designed from the ground up to the distributed and secure.
We are adhering to GDPR, with a data protection officer.
We are self-certified as HIPAA compliant, a US standard usually reserved for medical practitioners, as we have several prominent US hospitals using Cronometer in their facilities.
All of the above is aimed at reducing the likelihood of data breaches. We are not perfect, mistakes and bugs can and will happen. This assumption is built into the above.
This is to ensure we know how to react. With HIPAA and GDPR we have mandated policies for how we react, expected timings for certain tasks, executive committees, etc.
Since the foundation of Cronometer we have also provided the option to completely remove your data from our system and will always have this. This ensures you keep complete control of your data.
I hope this has spread some light on how we value security and the importance we place on protecting your data.