How do we contact the StrataPT security team?

You can contact the StrataPT security team through your account manager or by emailing security@stratapt.com

Can I get a copy of all current StrataPT security policies?

No. The detailed security policies are considered privileged and confidential information and are not available to share.

Is my data encrypted?

Yes! Data is encrypted in transit and at rest. Data transferred to and from StrataPT servers use industry standard HTTPS/TLS (TLS 1.2+). StrataPT data is encrypted at rest in AWS using AES-256 key encryption. This includes live data and backups.

What is StrataPT's privacy policy?

The current privacy policy is available at https://www.stratapt.com/privacy-policy

Security at StrataPT

Q: Where does StrataPT store customer data?

All StrataPT data stored in the United States. We use AWS in the United States - Virginia region across multiple availability zones. We also utilize HiVelocity servers in California, Florida, Virginia, Texas, and Washington.

At StrataPT, we use industry standards and security best practices to help our clients meet their compliance needs. StrataPT constantly invests in ways to protect your data. We implement security measures, policies, and procedures to comply with relevant security standards.

Encryption: Data is encrypted in transit and at rest. Data transferred to and from StrataPT servers use industry standard HTTPS/TLS (TLS 1.2+). StrataPT data is encrypted at rest in AWS using AES-256 key encryption. This includes live data and backups.
US-Based Storage: All StrataPT data stored in the United States.
Backups: We perform backups of client and application data at least once a day with daily, weekly, monthly, and yearly retention policies. Backups are encrypted at rest.
Network Security: Our networks utilize AWS network and infrastructure security tools such as Web Application Firewalls (WAF), network firewalls, access control lists, daily compliance scanning, logging, internal data loss prevention system (DLP), and intrusion detection systems (IDS). These systems constantly monitor, detect, and block unauthorized and malicious traffic.
Status Notifications: StrataPT maintains a public status page of products and services at Strata. This includes current and historical uptime of each service along with any major system announcements. Learn more.
System Resilience: Multiple availability zones and data center locations with independent resources to allow systems to continue to operate in the event of a regional disruption. EMR system storage and processing servers are configured for automatic failover and recovery.

Compliance Standards

StrataPT maintains a HIPAA seal of compliance with AccountableHQ.

Seal of Compliance | HIPAA Compliant | Powered By Accountable

Physical and Cloud Security

StrataPT utilizes Amazon Web Services data centers. These facilities maintain numerous certifications regarding ISO 27001, HIPAA, and GDPR along with physical access controls, backup power, and fire suppression systems. More information is available at https://aws.amazon.com/compliance/data-protection/

StrataPT also utilizes HiVelocity data centers for some services. These locations maintain certifications such as SSAE-16 SOC 1 Type 1, SSAE-16 SOC 2 Type 1, HIPAA, and PCI along with 100% power uptime, diesel power redundancy, CRAC cooling, overhead fire suppression systems, sub-floor fire suppression, and leak detection systems. More information can be found at https://www.hivelocity.net/products/colocation/

Data Center Locations

We use AWS in the United States - Virginia region across multiple availability zones. We also utilize HiVelocity servers in California, Florida, Virginia, Texas, and Washington.

Network Security

Our networks utilize AWS network and infrastructure security tools such as Web Application Firewalls (WAF), network firewalls, access control lists, daily compliance scanning, logging, internal data loss prevention system (DLP), and intrusion detection systems (IDS). These systems constantly monitor, detect, and block unauthorized and malicious traffic.

System Architecture

We routinely review system architecture to ensure it continues to adhere to best practices for security and reliability.

System Resilience

Multiple availability zones and data center locations with independent resources to allow systems to continue to operate in the event of a regional disruption. EMR system storage and processing servers are configured for automatic failover and recovery.

Network Vulnerability and Patch Scanning

StrataPT performs daily scans for known vulnerabilities and software patch compliance. Patch policy includes critical patches installed within 7 days and non-critical patches installed within 30 days.

Third Party Penetration Tests

Third party pen tests and security reviews are performed at least yearly.

Encryption in Transit

Data transferred to and from StrataPT servers use industry standard HTTPS/TLS (TLS 1.2+).

Encryption at Rest

StrataPT data is encrypted at rest in AWS using AES-256 key encryption. This includes live data and backups.

System Uptime

StrataPT maintains a public status page of products and services at Strata. This includes current and historical uptime of each service. Major system announcements are posted to this status page. More information available at https://status.stratapt.com/.

Data Backups

We perform backups of client and application data at least once a day with daily, weekly, monthly, and yearly retention policies. Backups are encrypted at rest.

Disaster Recovery

Systems are covered by a disaster recovery plan to ensure systems can recover from major incidents including restoration from backups. These plans are tested at least annually.

Software Development Life Cycle (SDLC) - Environments

StrataPT maintains a fully logically separated testing environment from our production environment. Changes are made to testing environments before they become live in the production region.

Software Development Life Cycle (SDLC) - Code Review

All code changes are reviewed by a person other than the original implementor. Positive sign off is required for all changes. Records of all changes and sign offs are maintained for future reference.

Software Development Life Cycle (SDLC) - Change Control

Change control manifest created for each deployment to record regions affected, status, reviews completed, and approvals.

Static Security Scanning

We use dynamic security scanning tools to periodically review systems for common risks such as OWASP Top 10. Daily AWS-based compliance scanning for rules including AWS Foundational Security Best Practices v1.0.0, CIS AWS Foundations Benchmark v1.4.0, PCI DSS v3.2.1, and NIST Special Publication 800-53 Revision 5.

Credentials

EMR login credentials are individually salted and hashed with PBKDF2. SSO used where available.

Multi-Factor Authentication

Internal systems required to use MFA. Client accounts can choose to enable MFA.

Access Reviews

Employee and contractor system access reviewed monthly to maintain least privileged access across systems.

HR Security

Employees and contractors are verified by Company Policy and applicable laws. Required documents for employment include, but not limited to, Non-Disclosure Agreements and Confidentiality Agreements.

Ongoing Training

Each employee and contractor is required to take initial training and yearly re-reviews of training materials for topics including security best practices, HIPAA requirements, and company policies.

Security Notifications

Security questions or findings can be communicated to StrataPT by emailing security@stratapt.com.

Frequently Asked Questions