Integrify Security Overview
AWS Shared Responsibility
(Availability: Cloud)
Integrify utilizes AWS for all of our application hosting and data storage. AWS employs a shared responsibility model in which they are responsible for the security of the hardware, infrastructure, and host/service software security: https://aws.amazon.com/compliance/shared-responsibility-model/
Authentication
Integrify Database Authentication
(Availability: Cloud, Self-Managed, OnPremise)
User profiles are stored in Integrify. Passwords are hashed using bcrypt. User Name and Password are managed in Integrify. Password pattern, length requirements, and expiration settings can be used to enforce corporate password policies.
Integration with SSO/ADFS/SAML2.0
(Availability: All installation types) -a one-time setup fee may apply
This option delegates authentication to your IDP (identity provider) using a service provider-initiated HTTP POST SAML2.0 flow. Integrify will initiate an AUTHN request to your IDP and redirect the user to your authentication endpoint. Your IDP will authenticate the user and then cause the user’s browser to post a SAML Assertion with the user’s profile information to the Integrify ACS URL. Integrify will validate the SAML Assertion with the signing certificate provided by the IDP. If Valid, Integrify will provision the user or update the user’s integrify profile if it already exists. Endpoints and attributes mappings will be exchanged as part of the setup.
Data Encryption on the Integrify Cloud
Integrify Encryption in Transit
The connection between the application and the client browser uses TLS 1.2. The connection is encrypted and authenticated using ECDHE-ECDSA-AES128-GCM-SHA256/ECDHE-ECDSA-AES256-GCM-SHA384 and uses ECDHE-RSA-AES128-GCM-SHA256/ECDHE-RSA-AES256-GCM-SHA384 as the key exchange mechanism (see ELBSecurityPolicy-FS-1-2-Res-2020-10. Once inside our private network in AWS, the traffic is not encrypted.
Integrify Encryption at Rest (Optional)
Amazon RDS encrypted instances use the industry-standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS instance. Once your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don’t need to modify your database client applications to use encryption.
Amazon RDS encrypted instances provide additional data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon RDS encryption to increase data protection of your cloud applications and fulfill compliance requirements for data-at-rest encryption.
Firewalls
Integrify uses AWS Elastic Load Balancing firewalls to permit only HTTPS traffic on port 443. Certificates (SSL) are installed at this level to assure all communication between the firewall and the browser is secure. (See Integrify Encryption in Transit above). Integrify also uses AWS Shield Standard to defend against the most common, frequently occurring network and transport layer DDoS attacks that target web sites and applications. These measures combined with AWS VPCs, Security Groups, and Network Accesss Control Lists provided a completelly secure and locked down network platform for our cloud application.
Regulatory Compliance
SOC 2/3
Service Organization Control (SOC) Reports are independent third-party examination reports demonstrating how Integrify’s cloud applications achieve key compliance controls and objectives. These reports allow auditors to understand the controls established to support operations and compliance. To request a copy of our SOC 2 report, please contact us. For our cloud customers, we can offer an applicable SOC 3 from our host AWS.
HIPAA
Integrify can provide a Business Associate Agreement (BAA) certifying that our Cloud instances comply with HIPAA requirements. Customers can leverage the secure Integrify environment to process, maintain, and store protected health information. BAA Agreement available upon request.
FDA/21 CFR Part 11
This regulation ensures that companies and organizations implement good business practices by defining the criteria under which electronic records and signatures are considered accurate, authentic, trustworthy, reliable, and confidential. Our software provides customers with the necessary tools and technology to meet FDA/21 CFR Part 11 guidelines. Read More on Integrify’s 21 CFR Part 11 Compliance.
GSA Schedule / Multiple Award Schedule (MAS) / Federal Supply Schedule
The GSA Schedule is a convenient, effective option for both buyers and sellers. Buyers enjoy simplified ordering procedures and reduced prices. Integrify is authorized to sell goods and services directly to government agencies through the GSA Schedule.
GDPR (General Data Protection Regulation) Compliance
Integrify is hard at work ensuring that our software and internal practices are GDPR compliant for our customers in the EU as both a data controller (our internal corporate systems) and data processor (the Integrify application) and we fully expect to be compliant sometime this year.
To meet the GDPR requirements for Data Processors we ensure the safety and security of the data our customers control on our platform.
Data Security
Integrify’s application is hosted securely on AWS. AWS complies with the General Data Protection Regulation (GDPR) and adheres to the data protection standards required of data processors by the GDPR.
Monitoring and Breaches
-
Integrify performs continuous monitoring and reporting on vulnerabilities and potential configuration flaws in cloud workloads, including an incident audit trail for auditors and regulators.
-
Integrify performs log security monitoring, daily review, and archive to detect attacks and provide evidence for regulators.
-
Integrify provides network monitoring and analysis for suspicious activity and data breaches by security experts 24x7x365.
-
Integrify provides notification and guidance for data breaches within 24 hours to the supervisory authority and affected customers.
Database Access
(Availability: Enhanced Cloud)
Secure access can be provided to your private Integrify DB and tables to client Administrators upon request. We require connectivity to be IP specific and recommend the use of a standard encrypted SQL connection from the allowed IP.
Disaster Recovery
Backup Processes
In the Integrify Cloud, full backups are done daily; incremental backups are done every 15 minutes – with a daily backup distributed to a separate data center for disaster recovery. We retain 4 days of backups for private AWS RDS Database instances. OnPremise and Self-Managed deployments are responsible for their disaster recovery.
Off-site Data Storage
We move the latest backup of each system and database to a different data center within AWS once a day.
Data Retention
During normal use, no data is deleted from the Integrify database through the Integrify system. Only soft deletes are made.
Application Updates
Update Management
If deployed OnPremise, customers utilize the Integrify OnPremise Manager for updates to the platform. If OnPremise is deployed in the Cloud, Integrify manages application and OS updates as a managed service as part of the annual subscription. Private Cloud instances are a single tenant with each client’s RDS SQL Server DB instance. (Note: all Integrify clients, whether single tenant or multi-tenant, have their own DB instance). If on the latest version of Integrify Cloud, application updates are done in real time as our QA team approves application changes.
Monitoring
Integrify monitors the performance of the Integrify cloud and proactively alerts Support Group members if needed. Integrify utilizes AWS to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes.
Platform Upgrades
For OnPremise/Self-Managed deployments, Integrify makes updates to the platform available to the client to download and install. Clients can utilize the Integrify OnPremise Manager to update their installation. Minor software updates are made available periodically and are inclusive. A client may skip several months and then install the next available update and it will include all prior skipped minor releases. Integrify Private Cloud provides this as part of your annual subscription as a managed service. If on the latest version of Integrify Cloud, application updates are done real-time as our QA team approves application changes.
Integrify API
Integrify has several task types referred to as Plugins that enable calling out and call in data from various interfaces. Our REST and SOAP Plugins enable calls to be made during process execution. This information can be utilized within the process/request itself and also be saved within Integrify and other custom data structures to be utilized later during other processes or actions.
Integrify OnPremise/Private Cloud also has an API Kit that enables programmatically triggering actions through RESTful services. Nearly any action triggered through our end-user interface can also be triggered through RESTful services – such as initiating a process, executing a task, running a report, and much more. Integrify API documentation can be found here for v7 installations: https://developer.integrify.com.
If subscribing to the latest Integrify Cloud, the API documentation can be seen in the application by clicking the gear icon in the upper right of the navigation bar and selecting ‘APIs’
Incident Management
Integrify’s platform can be used as an incident management system, allowing users to report security breaches or safety issues that follow the chain of action and approval.