Last updated: 02.06.2020.
This Data Security Policy specifies details about how Myworkout handles customer data, employee PII, intellectual property and other sensitive information.
Our data centers, managed by Amazon Web Services (“AWS”), are SAS 70 Type II Certified, SSAE16 (“SOC 2”)/HIPAA/HITRUST Compliant, and feature proximity security badge access and digital security video surveillance. All of our customers private data is stored within our Virtual Private Cloud. All access to our web services are secured over HTTPS using at least TLSv1.2 cryptographic protocols with AES128/AES-256 and personal data is encrypted at rest using AES-256. We perform annual OWASP audits and employ security practices in a continuous process for development.
All Myworkout application and database servers are physically managed by AWS in secure data centers in the “eu-west-1” region. Our security procedures utilize industry best practices from sources including The Center for Internet Security , Microsoft, Red Hat and more. All data center facilities are certified SOC 2/HIPAA/HITRUST Compliant and have 24/7 physical security of data centers and Network Operations Center monitoring. A complete listing of compliances can be found here: https://aws.amazon.com/compliance/programs/.
AWS manages the physical access to the data centers. They control both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Myworkout employees do not have access to physical server hardware that holds PII.
Myworkout has a combination of firewall and authentication rules for accessing our hosting environment. All data access is through encrypted channels and server access on public networks requires a VPN connection to our main office. Only select Myworkout employees are able to directly access our servers.
All AWS data centers are equipped with automatic fire detection and suppression (either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems), climate and temperature controls, fully redundant uninterruptible power supplies , and generators to provide back-up power for each physical site.
All User Data stored in our Myworkout GO system is encrypted at rest using AES-256 encryption. Any identifiable data within the Myworkout GO system is stored in a separate and secured database (managed through AWS RDS) or on AWS S3. Myworkout maintains numerous full backups of all User Data. These backups are stored in a geographically and logically separated environment.
User data includes data stored by Users in Myworkout applications, information about a User’s usage of the application, data instances in the Customer Relationship Management system to which we have access, or data that the User has supplied to us for support or implementation. When managing User Data, we take into account the following considerations:
User data is deleted, anonymised or de-identified within 14 days after the user has requested to delete the account. Our data backup policies adhere to this requirements and our data backups are kept for 14 days before those backups are automatically destroyed.
Old computers and servers used to store or access Client information receive a 7-pass erase that meets the NIST 800-88 standard for erasing magnetic media; the devices are then recycled or resold. Paper information containing personal data in the office is discarded using a document shredder. Myworkout also adheres to a clear desk/clear screen policy.
Myworkout security administrators will be immediately and automatically notified via e-mail or Slack if implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within one (1) hour.
Once an incident is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals:
Security administrators will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses and interviewing the incident victim to determine how the incident was caused. Only authorized personnel will perform interviews or examine evidence, and the authorized personnel may vary by situation.
Clients will be notified via email within 24 hours upon detection and confirmation of any incident that compromises access to the service, compromises data, or otherwise affects Users. Clients will receive a status update upon incident resolution.
All data transfer and access to Myworkout applications will occur only on Port 443 over an HTTPS connection using at least TLSv1.2 cryptographic protocols with preferred AES-256 encryption. In order to ensure client compatibility we allow for AES-128 to be used for systems where AES-256 is not available.
We annually audit and review our SSL certificate configuration by a service from SSL Labs to make sure our configurations reach a minimum of grade A.
Our software architecture is container-based which ensures that our applications runs in isolation. This effectively limits the attack surface if one application is compromised.
As a hosted SaaS solution, we regularly improve our system and update security patches. Since our services are container-based, it’s easy to upgrade our systems to the latest versions and security patches on an OS and application server level. Non-critical system updates will be installed at predetermined times. Critical application updates are performed ad hoc using rolling deployment to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.
Myworkout practices data privacy by design and default and security tests are part of our automated test-suites. In addition we perform annual OWASP audits and perform AWS Inspector Vulnerability Assessments of our server environment bi-weekly. Code that is added to our applications and services are manually reviewed by other colleagues and automatically analyzed from third party code quality testing software.
Users are not able to directly login to Myworkout’s application. All Users logins and sessions are authenticated via a secure OAuth 2.0 access token.
All Myworkout employees get training in password security and we use vetted password security software that manages passwords and helps ensure that they are unique and rotated when needed (e.g. using 1Password WatchTower to detect reused or compromised sites/passwords). For our Myworkout GO system we require all users passwords to be minimum 8 characters long and the password is checked against lists of common and leaked passwords (and rejected if found to be insecure).
All Myworkout staff members are made aware of relevant external regulations as part of their onboarding and training process. Confidentiality agreements are entered into with all employees.
We restrict Myworkout employee access to personal data based on the assessed risk level and a need to know basis.
Where anonymization is not possible (e.g. for technical reasons, where a product problem can only be recreated using PHI, such as investigating a problem on a User’s device), access to the data is restricted and the data is destroyed or returned to the User as soon as it is no longer needed. Under no circumstances should identified data be added to the company dataset library. Any identifiable data within the Myworkout GO system is stored in a separate and secured database.
The processing of personal data is limited to the minimum required to deliver the service to our customers. We conduct DPIAs for each processing purpose that is likely to entail high risk, especially data that falls under special categories of data according to GDPR.
Myworkout expects a high standard of professional integrity from our collaborators, clients, and partners and requires that they process personal data according to GDPR or applicable privacy framework such as EU-US Privacy Shield.
This Data Security Policy was last updated on June 2, 2020.