Security at Servetty

We consider the security and safety of our products to be of paramount importance. Security is a shared responsibility between all parties involved in handling patient information. This page describes in detail the technologies we use and support to ensure we are meeting our obligations as a covered entity. If you have any questions after reading this, or encounter and issues please let us know by contacting security@servetty.com

We offer an optional security training course at no charge for all new account owners. Topics of conversation include but are not limited to tips on securing your practice, common attack methods and how to prevent them, other software program recommendations. We strongly suggest that all customers take advantage of this opportunity.

Servetty forces HTTPS for all services using TLS (SSL), including our public website and all subdomains.

We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with Servetty only over HTTPS. Servetty is also listed on the Chromium HSTS preloaded list.

All personally identifiable information ("PII") is encrypted at rest with AES-256 in Galois/Counter mode (GCM). Decryption keys are stored in FIPS 140-2 validated hardware security modules provided by our hosting provider - AWS.

All passwords are hashed using the Argon2 algorithm. Passwords must conform to the following rules: a minimum length of 8 characters, must include a lowercase letter, must contain an uppercase letter, and must contain a special character or number. We do not allow password reuse. We do not allow passwords that appear on security lists of commonly used passwords.

We strongly recommend using a password manager to all users of our Service.

Here are the password managers that we recommend using:

1 Password, Last Pass, and Dashlane

Servetty supports security keys (Webauthn) for two factor authentication. This method has been designated with the highest level of identity assurance (AAL3) by the National Institute of Standards and Technology in special publication 800-63 revision 3. You can add an unlimited number of security keys to each user account. We recommend that each person have at least two keys, one which they keep on their person and a backup that is kept in a secure location.

Our recommended vendor is Yubico.

We provide security keys to all our staff members and require that they enable two factor authentication for all services they use.

Servetty also supports time based one time passwords (TOTP) for two factor authentication. This method has been designated with the second highest level of identity assurance (AAL2) by the National Institute of Standards and Technology in special publication 800-63 revision 3. You can add a single totp authenticator application to each user's account.

Our recommended vendor is Authy.

Servetty developers follow the secure development practices described in OWASP's dev guide. We subscribe and adhere to the principle of least privilege.

Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Servetty’s security, please get in touch at security@servetty.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Servetty. Please include as much information as possible in your report, including a way for us to reproduce the issue. "Proof-of-Concept" programs, tools, or test accounts that you've created are welcome.

We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a reward program for responsibly disclosed vulnerabilities. Servetty rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as by bypassing our login process, injecting code into another user’s session, or instigating action on another user’s behalf).

A reward of $500 USD may be provided for the disclosure of qualifying bugs. At our discretion, we may increase the reward amount based on the creativity or severity of the bugs. If you report a vulnerability that does not qualify under the above criteria, we may still provide a minimum reward of $100 USD if your report causes us to take specific action to improve Servetty’s security.

As with most security reward programs, we ask that you use common sense when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts. We do not reward denial of service, spam, or social engineering vulnerabilities. Although Servetty itself and all services offered by Servetty are eligible, vulnerabilities in third-party applications that use or are used by Servetty are not.

As with most security reward programs, there are some restrictions:

• We will only reward the first person to responsibly disclose a bug to us
• Any bugs that are publicly disclosed without providing us a reasonable time to respond will not be rewarded
• Whether to reward the disclosure of a bug and the amount of the reward is entirely at our discretion, and we may cancel the program at any time
• We can’t provide you a reward if it would be illegal for us to do so, such as to residents of countries under current U.S. sanctions

Servetty does not tolerate the following:

• any attempt to access, modify or destroy a customer’s account or data
• any attempt to interrupt or degrade the services offered by Servetty
• any attempt to execute a “Denial of Service” attack
• any research that involves a violation of any applicable law

Breaching the above in any way will result in us contacting the relevant authorities.