We apply a rigorous, platform-wide approach to security, specifically with regards to HIPAA-compliant handling of protected health information (PHI) and PCI-compliant handling of financial card data.
Avytree offers a Business Associate Agreement (BAA) to our dental practice customers enumerating our respective obligations under HIPAA.
Avytree relies on the industry-standard Google Identity Platform within GCP for API-level identity management of both Practice Users and Patients.
Our identity layer consists of SHA-2 encrypted password management and authentication, role-based, session-delimited access controls, and application-level authorization logic.
Patient information, including data that falls within the scope of HIPAA and the Avytree BAA, is persisted on Amazon Web Services (AWS). Avytree has countersigned BAAs with these entities and has verified their compliance with HIPAA, SOC2, and ISO 27001.
Within Avytree's cloud infrastructure, we employ the following practices to ensure data integrity and security: 1) Virtual Private Cloud isolation and peering, 2) Encryption of Data At Rest (AES-256) and In Transit (TLS) 3) Anonymization of Non-Production data.
Avytree maintains and enforces an Internal Security Policy. This policy establishes information security controls and business practices to ensure the protection of sensitive data, specifically Protected Health Information, within the managed services, infrastructure, and business systems operated by Avytree, Inc.
All credit card, debit card, ACH, and other payment method data is collected, stored, and processed via Stripe.
Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.
.gif)
