Fluxmed Security Policies and Processes
Password and credential storage
All credentials are stored in secure identity provisioning systems, where user identity information is kept anonymous, after authentication all transactions are authorized using OpenID tokens.
A user's data in Fluxmed is visible only to that user and to whom he or she consents access through the use of sharing in web applications or for mobile devices.
Hosting and Data Storage
Fluxmed applications and data are hosted on AWS - Amazon Web Services servers, located in the region sa-east-1 (São Paulo Brazil).
Amazon has several compliance programs related to security, such as ISO 27001, PCI level 1, HIPAA and SOC.
Virtual Private Network
All of our servers are allocated in VPC - their own virtual private network with access controls that prevent unauthorized requests from reaching our internal network. We use good practices as a connection via hosts bastion for communicating with our production servers.
Backups and Monitoring
Our data has automated daily backups in the RDS - relational database service and stored and verrinated in the S3 - simple storage service. The infrastructure is monitored for anomaly detection, using CloudWatch - AWS active infrastructure monitoring system.
Authentication and Authorization
All our employees of our technical team with access to infrastructure use two-factor authentication in their access accounts and access via VPN - Virtual Private Network, gaining access to only what is necessary for the performance of their system maintenance activities.
Encryption in transit
All application endpoints and APIs use TLS / SSL security policies recommended by AWS (ELBSecurityPolicy-2016-08).
Encryption at rest
All of our application database instances have encryption at rest, just like the stored files we encrypt on S3.
The inventories of software authorized for use by Fluxmed employees are updated every six months. We verify that the software is being updated and maintained by the manufacturer, to keep our development environment safe.
The hardware inventory with the attributes of the devices used for development are automatically updated depending on the responsible employee.
In order for a code to be considered suitable for implementation in a production environment, it is reviewed in an approval environment in advance, to detect anomalies.
All software code is signed before being stored in the code repositories, to guarantee authorship and accountability of the author.
Segregation of Environments
All production data are segregated from the development and approval environments. The homologation environment is maintained in VPC - virtual private network on AWS are totally separated in the region located in the us-east-1 region (north Virginia), and a development environment without Core Consultoria e Serviços Ltda's own servers.
If you suspect a security vulnerability, contact email@example.com