Application Security
Promptly provides a licensing SaaS Model, where all the service management (updates, upgrades, platform scalability) and the technical support are included in the license. The fulfilment of this document was performed based on the premise of being a SaaS model; we adapted some of the sections to adhere to this model.
Security Training
At Promptly we believe that good security practices start with our own team, so all employees complete security awareness training annually.
Security Policies
Promptly has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Headquarters security
Promptly headquarters employs door personnel and badge access is required at all hours. Visitors are required to sign in and be always escorted.
Confidentiality
All employee contracts include a confidentiality agreement.
Penetration Testing
Our operations team oversees ensuring our platform is secure and available at all times. Promptly undergoes annual penetration testing conducted by an independent third-party agency of security experts to perform detailed penetration tests on the Promptly application and infrastructure. No customer data is exposed to the agency through penetration testing.
Data Security and Privacy
Promptly follows a Privacy by Design (PbD) approach. Privacy by Design is embedded into the design and architecture of Promptly’s IT systems and business practices. User personal information and patient clinical data are stored in different physical database servers with segregated access policies.
Data Analytics systems only has access to pseudo anonymized data by design.
Data Encryption
All data in Promptly servers is encrypted at rest. AWS stores and manages data cryptography keys in its redundant and globally distributed Key Management Service (KMS).
Data Retention
Promptly will retain personal data only for the period necessary for the identified purposes, specifically, as long as the User's login remains active and the purposes that governed the collection continue; they may only be retained for longer periods, provided that they are processed solely for scientific research or statistical purposes, subject to the application of appropriate technical and organizational measures, in order to safeguard the rights and freedoms of the data subject. Such measures may include pseudonymization provided that the intended purposes can be achieved in this way. Where such purposes may be achieved by further processing which does not permit, or no longer permits, the identification of data subjects, such purposes shall be achieved in this way.