Security
At FamVault, we prioritize the security of our customers' sensitive data through a comprehensive DevSecOps approach. To learn more about our commitment to maintaining the highest standards of security click on the link to learn more.
Customer Data protection
Data at rest
FamVault encrypts all datastores with customer data with AES-256 to keep your files confidential from even from physical and logical access to the database.
Data in Transit
FamVault uses TLS 1.2 or higher for secure transmission of all data. We also use features such as HSTS (HTTP Strict Transport Security) to enforce strong encryption of your data in transit. Server TLS keys and certificates are managed by AWS.
Secret management
FamVault encryption keys are managed via AWS Key Management System (KMS). KMS stores key material in Hardware Security Modules (HSMs), which prevent direct access by any individuals, including FamVault and Amazon employees. The keys stored in HSMs are used for encryption and decryption via
Amazon’s KMS APIs.
Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store, and access to these values is strictly controlled.
Incident Response
FamVault systems and data are monitored 24/7/365 for security incidents and we respond within minutes to alerts.
Backups
FamVault backs up data every five minutes automatically in the case of systems outage. If a region-wide outage occurred in AWS, FamVault would be temporarily unavailable, but your data would still be safe and secure.
Security FAQs
What encryption standards do you use for data at rest and in transit?
FamVault uses AES-256 for encryption at rest and HTTPS via TLS for encryption in transit. The keys are managed in AWS Key Management Service (KMS). The API secrets to interface with the KMS are managed within the AWS Secrets Manager.
How do you manage and enforce access controls? Can you provide details on role-based access and multi-factor authentication?
Logged in users are granted access based on their identify after authenticating to the FamVault service with multi-factor authentication. Each API request is explicitly checked to verify the user's identity and whether that identity is authorized for the requested API function and objects.
How do you monitor for security threats and vulnerabilities? Do you conduct regular security audits and penetration testing?
FamVault enlists Ridgeline International for its security monitoring. Ridgeline is a data, privacy, and technology company, which provides security for some of the most sensitive units within the US Government. Ridgeline performs continuous monitoring of FamVault's components for security-relevant changes, anomalous system or user activity, and attempted attacks on the FamVault platform. Ridgeline also performs secure code reviews and penetration testing of FamVault software prior to production release.
What is your incident response plan? How quickly do you respond to and resolve security incidents?
Ridgeline International provides 24/7/365 monitoring of FamVault and would respond immediately to any security alerts.
What are your data backup and disaster recovery procedures? How often are backups performed and tested?
FamVault backs up data every five minutes automatically with automatic crossover in the case of individual systems outage. In the event of a region-wide outage in AWS, FamVault would be temporarily unavailable until the outage is resolved. In the future, FamVault will deploy to multiple regions to mitigate the risk of an outage.
How do you ensure the security of third-party vendors and integrations?
Third-party vendor code goes through a security review prior to integration within the platform.
Is my data private? What are your policies regarding data sharing and retention?
Uploaded Powers of Attorney, Living Wills, and Do Not Resuscitate orders could be accessible by medical professionals to validate and adhere to the patient’s documented wishes. Aside from these documents, uploaded user data is private unless the user chooses to share it. FamVault will not share other uploaded user data for any purpose. Security logs are stored for a minimum of six months.