Our customers entrust us, FitLyfe with one of their most valuable assets, their data. We are honored by this trust and we make every effort to continue to earn that trust and to ensure the continued satisfaction of our customers. Protecting the privacy and security of your data is the number one priority at FitLyfe. As such, a team of security engineers are working around-the-clock to ensure the confidentiality, integrity and availability of our customers data. FitLyfe incorporates industry leading security controls using a defense-in-depth approach to ensure that your site and your data is accessible and is properly protected.
FitLyfe realizes that helping to protect our customer’s data, ensure proper security regulations, and mitigate any potential risk is essential to building trust and delivering a high level of service. FitLyfe takes a risk-based approach to security and this paper will detail the many different measures and technologies in place to protect our customers.
More information regarding the security controls and technologies we use can be found in the following section.
Defense in Depth
As you’ll see from any best-in-class SaaS provider, there is no single layer that protects customer data, but rather a well-architected solution that considers every layer from the physical security measures at the data center, all the way through the access privileges that determine what data an individual user can access. FitLyfe, as a best-in-class wellness technology and analytic provider, uses this approach to protect customer data.
Process & Policy
The first layer of defense is having a well-defined and comprehensive set of security
Processes and policies to ensure the security of our customers’ data and users. Security Governance is the essential element required to protect customer’s and users. At the heart of security governance are the policies and processes that address the most critical element of the security chain, the people.
Thus, it is imperative to have a well-defined and comprehensive set of policies and processes in place to ensure the security of our customers’ data and users. This provides the first layer of defense and serves as the foundation for Security Governance. Information security is a key priority for our most core layer… our people.
Physical
FitLyfe co-located in military grade. Tier 3 & Tier 4, data centers with an amazing record of no downtime in the last 6 years. It has an unprecedented level of reliability from any physical disruptions. The data centers have N+1 power and network redundancy, this includes backup HVAC, UPS and generators.
- Access to the data center is physically controlled
- 24/7/365 monitoring by experienced IT
- Multiple paralleled N+1 UPS modules configured in redundant systems to allow for A/B power configuration
- A Very Early Smoke Detection Alarm (VESDA) with pre-action dry pipe fire suppression systems
- Multiple fiber route entrances to structures
Our data centers are audited on a regular basis to prove they maintain the highest levels of security. These certifications include:
- AICPA SOC 1 Type II
- PCI-DSS v3.1 Assessed Compliance
- SSAE 16 Type 1 and 2 certified
- Approved DoD Cloud Data Center
- HIPAA Type 1 AT-C Section 105 & 205
Infrastructure
FitLyfe uses the latest in monitoring technology in order to protect our network and our customers sensitive information from threats such as a hacker breaking in and stealing data or phishing attempts that result in a data breach.
Our servers are protected with technology that has been years in the making. We use the latest NextGen Firewalls to protect our perimeter such as Web Application Firewalls (WAF). The latest router technology to manage all communication across our network. The latest TLS encryption is used to protect all data in transit which works to prevent sniffing attacks. We then use a network-based Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) that identifies and blocks malicious traffic so that we can respond quickly before any damage is done.
We have a Security Information and Event Manager (SIEM) to correlate all the alerts seen in our network. These alerts come from our firewalls, routers, servers, intrusion detection systems and more. This allows us to respond even quicker to any activity that appears malicious.
Our network and our devices are scanned for any malicious software. We have both network level and computer level protection against malicious software to include viruses, worms and ransomware
In addition to our own capabilities, we contract with an on-demand Distributed Denial of Service (DDoS) scrubbing providers that allow us to stop a DDoS attack before it even gets to us.
Application
The FitLyfe platform provides the end users with the ability to access data, reports, and dashboards. While this may be enough for other providers, we work hard to provide a seamless experience for the end user, you, by integrating all the end-points data sources to the platform as well as integrating it with other software.
Data-in-transit encryption: All traffic into and out of the FitLyfe 360 Platform is encrypted using TLS 1.2 or newer that uses algorithms that are considered industry best practice such as AES, the Advanced Encryption Standard. Customized integration with the FitLyfe 360 Platform is also encrypted using the FitLyfe Application Programmatic Interface (API).
Data-at-rest encryption: Throughout the Fitlyfe 360 data lifecycle, all stored data is encrypted using tried and proven secure encryption algorithms. The FitLyfe API ensures that properly logged in users will have access to their data only. Users will never have access to anyone else’s data.
User
FitLyfe 360 users are authenticated using a required, 2 factor authentication (FA) to log in the platform. Network or system administrators have a more stringent restrictions for access.
We incorporate the concept of least privilege to ensure users only have access to a strictly defined set of objects and data, enabling the user to have access to the modules they need to perform their job and nothing else. This level of security is enforced using a strictly defined set of access privileges assigned to the subjects, objects and data.
Data
Data security is that final layer of security. FitLyfe employs several redundant layers of protection for the safety and protection of our customer’s and user’s data. Critical data is always encrypted in transit and at rest. Database access is always protected and controlled with rigorous access control methods.
When data files are transferred, we use the SSH File Transfer Protocol (SFTP) which encrypts the data in transit with Secure Shell (SSH). Before those files are transferred, they are additionally encrypted with the application Pretty Good Privacy (PGP).
PCI-DSS & HIPAA Compliance
Protection of our customers credit card number and your health information is incredibly important to us. To maintain our PCI Level 1 certification, we rigorously analyze and protect our network. All security controls surrounding this sensitive data is then put through a rigorous annual audit.
An annual audit is performed to verify that we comply with the 12 requirements of PCI-DSS. The requirements overlap with the HIPAA requirements for electronic Protected Health Information (ePHI). These include core items you have read about above such as:
- Maintaining a security governance program
- Maintaining a secure network
- Encrypting and protecting all sensitive data
- Maintaining a vulnerability management program
- Utilizing strong access control measures, such as 2FA
- Testing and monitoring production and development networks
Learn more on how we validate our PCI compliance with VISA.
Vulnerability Analysis and Reporting
FitLyfe is always working to provide the highest level of protection for our customers most sensitive data including personally identifiable information (PII) and credit card details. To achieve this pinnacle of protection requires that we scan the network for any vulnerabilities and quickly respond to any issues.
FitLyfe incorporates a patch management system to ensure that all systems on our network are kept up to date with the latest security patches. At a minimum, updates are performed on a monthly basis. This ensures that as vendors find issues with any system or product we have, and they create a patch for it we deploy it very quickly. Network vulnerability scans are performed on a regular basis to rapidly identify any system that is not at the correct patch level so that we can take immediate action to fix it.
FitLyfe utilizes a secure software development lifecycle to develop our applications. Throughout this lifecycle, multiple tests are conducted to ensure the highest quality applications for our customers. We use industry recognized tools to scan our applications dynamically and our source code statically.
We utilize a third-party service provider to continuously scans the network externally and alerts us of changes in our baseline configuration.
Incident and Breach Notification
FitLyfe has a rigorous incident response program that works to protect our customers from data breaches. Security analysts provide 24/7 security monitoring. Alerts about possible security breaches are rapidly categorized and prioritized and the necessary mitigations are quickly addressed utilizing carefully scripted actions detailed within a series of runbooks. If there is any unauthorized access, we then activate our Incident Response Team that utilizes a well-defined and audited notification process.
A Crisis Communications Plan is maintained and activated on a companywide level that includes notification instructions should a large-scale event occur.
FitLyfe generates the required breach notifications in compliance with PCI-DSS and HIPAA breach notification rule, 45 CFR §§ 164.400-414.
FitLyfe’s lines of defense is a well-documented strategy that can and will be made available to our clients upon request.