Effective 09 AUG, 2023
At Feebris, we take the protection of your information very seriously. We work to the highest information security and privacy standards as part of our culture and integrity – we consciously consider risks to information security and data protection when implementing new products, features and projects.
We constantly invest in protecting your data, putting security measures in place and maintaining policies and procedures to comply with required data security standards. We continue to take all the measures to improve our information security level.
As a SaaS company, we work tirelessly to meet the ideal security standards to protect our customers from security vulnerabilities.
Security compliance:
Our certificates and resources are available upon request. Some of these may require an NDA to be in place.
Resources available:
Resources subject to an NDA:
We should look at two types of parties that can get accessto your data:
You and your staff - your staff will have access to the data per the access credentials that you will provide them. You can control who can view, edit, upload and download any information based on his/her role credentials.
Our staff – a small number of Clinical Operations staff at Feebris can gain access to your data to provide support on technical issues or queries raised via our support desk and interactions. Any Feebris team member doing so will be performing specific(audited) tasks on your request.
Feebris hosts data in AWS data centres located in the UK:
Learn more about compliance, Data Centre Controls and Physical Security, at AWS.
Our data centres backup all the data in Feebris at least once a day. The data is fully restorable for disaster recovery purposes.
Once a patient record is no longer linked to a live care provider organisation, that record is archived and scheduled for destruction after 8 years have passed. At this point the data is irretrievable deleted from Feebris' cloud storage in AWS and subject to AWS's destruction and decommissioning processes which are designed to prevent customer data from being exposed to unauthorized individuals and use the techniques detailed in DoD 5220.22-M ("National Industrial Security Program Operating Manual") or NIST 800-88 ("Guidelines for Media Sanitization") to destroy data as part of the decommissioning process.
Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating disaster recovery plans, and testing activities.
Infrastructure failure: Feebris data stores are high availability, deployed across multiple availability zones (physical data centres), and can tolerate disruption or failure to an availability zone without downtime. Backups are similarly high availability and stored across multiple availability zones, and an be restored to a different data centre if necessary.
Network failure: Feebris systems use AWS Lambda across multiple availability zones instead of always online, long-running, servers. This means network failures are quickly handled by AWS automatically bringing up new Lambda instances in the availability zone capable of connecting to the data stores. This architecture prevents single points of failure.
Server failure: Feebris does not use long running servers, we bring up and tear down servers in fractions of a second using AWS Lambda. Server failure is not a concern in this architecture.
Application failure: We take a layered approach to preventing and mitigating damage from application failure. Routine database backups allow us to do a point-in-time data restore if necessary. System defects can be addressed by rolling forward or back at the system level via Terraform and infrastructure-as-code best practises, at the application level by deploying code changes, and at the data level via database migrations.
Feebris protects your data with a secure network and other multiple security protection and technology measures, including:
24/7 Support: Our team is on call 24/7 to respond to security alerts and events. Events are escalated to relevant teams providing operations, network engineering, and security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Protection: Our network is protected using key AWS security services, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Access Credentials: User passwords are randomly generated using the three random words technique encouraged by ncsc.gov.uk. Passwords are stored as hashes in our authentication management system and encrypted during transmission and at rest. Users with “Admin” permissions can reset patient passwords when required, via the Feebris system.
Role-Based Access Controls: Access to data within Feebris applications is governed by role-based access control and can be configured by the users with “Admin” level permissions in the Feebris system to define granular access privileges as needed.
Distributed Denial-Of-Service(DDoS): The Feebris portal and API are behind CloudFront which offers DDOS and other security protections.
Threat Detection: Feebris applications are continuously monitored for compromised accounts, anomalous behaviour and malware, alerting the security team to unexpected server requests. This includes 24/7system monitoring.
Encryption: Feebris data is encrypted at rest and in AWS using AES-256key encryption. Data in transit between our mobile app and the servers is encrypted using TLS 1.2.
Framework Security Controls: Feebris leverages modern and secure open-source frameworks with security controls to limit exposure to security risks. These inherent controls reduce the exposure to SQL Injection (SQLi),Cross-Site Scripting(XSS), and Cross-Site Request Forgery (CSRF), among others.
Separate Environments: Testing is conducted in a dedicated staging environment which is logically separated from the production environment. No client data is hosted in the staging environment or used during testing.
Static Code Analysis: The source code repositories for our platform and mobile applications are scanned for security issues via our integrated static analysis tooling.
Third-Party Penetration Testing: In addition to our extensive internal scanning and testing program, Feebris employs third-party security experts to perform detailed penetration tests.
Logical Access: Access to the Feebris production network is restricted by an explicit need-to-know basis, utilises least privilege, is frequently audited and monitored, and is tightly access controlled. Employees accessing the Feebris production network are required to use multiple factors of authentication.
Policies: Feebris has a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Feebris information assets.
Training & Awareness: All employees attend security awareness training sessions which are given upon hiring and annually after that. The security team provides further security awareness updates via internal communications channels. We also run an annual information security awareness campaign which includes human vulnerability assessments, monthly e-learning modules and regular phishing simulations.
Reference Checks: Feebris performs reference checks on all new employees per local laws.
Confidentiality Agreements: All new hires and contractors are required to sign Non-Disclosure and Confidentiality Agreements.
