Intelligent Locations’ INTRAX platform is built from ground up with security in mind. We follow and implement the best practices and standards recommendations in every layer of the cloud architecture and development process. We follow the ISO 27001 standard and applicable set of SOC2 Type 2 security controls (report available on demand).
For our web application, we use OWASP top10 standard recommendations, while maintaining HIPAA and SOC 2 certifications, Intelligent Locations already enforces a robust security posture, continuously improved by our internal Security Governance Process. We use Security Scorecard and Coalition Inc as external Cyber Security monitoring tools which helps us and our customers continuously monitor the current state of Security Posture.
The security approach employed by Intelligent Locations, defense-in-depth strategy, aims to combine multiple security controls applied at each platform layer. The following are examples of such measures:
1. Network Security – continuously monitoring traffic and completely isolating internal resources and development tools inside the cloud, minimizing attack surface.
- a. Only allow access to confidential data to employees that strictly need it for their job.
- b. Enforce encrypted connections to any cloud resources as well as MFA for corporate emails.
- c. Virus protection and monitoring Operating System to ensure the latest security patches are installed.
2. Application Security – enforce authenticated access to all internal and customer facing applications. Follow examples of access and security measures in place:
- a. Enforce Role Based Access Control (RBAC) to all internal and customer facing applications and end-to-end encryption for all applications’ data flows.
- b. Encryption is applied, in transit at the transport level protocol.
- c. Data at rest is encrypted using industry standard AES-256 encryption algorithm for both RDS (databases) and cloud storage. An extra application-level encryption layer is applied for PHI and PII data.
- d. Intrusion detection and logging systems are in place for all applications. Based on an application’s specific functionality, we store the log files for a max of 1 year period.
- e. AWS CloudWatch is enabled for all long-leaved log entries.
- f. OpenSearch service is used for operational, debugging long-leaved log entries.
3. Users – Internal Users (Intelligent Locations employees) are subject to:
- Policy managed onboarding and offboarding processes.
- Cloud infrastructure access is managed by AWS IAM (identity access management).
- Access to other internal Intelligent Locations resources is managed by Microsoft Azure Identity Server (corporate email application access, MS Teams other SSO enabled services).
- INTRAX (customer user interface application) identity management is handled by Single-Sign On IDPs. We support locally managed identities (e.g., users managed by our internal IDP) and also customer IDPs (federated authentications) on top of SAML (preferred), OIDC, LDAP SSO protocols
Intelligent Locations is annually audited, which helps the company understand what it is doing right and what can be improved. Improvements are made regularly and plans are in place for risk events.
For exceptional events that might be unforeseen or out of Intelligent Locations’ control (Natural disasters, cyber-attacks etc.), the company maintains a Disaster Recovery Plan in order to restore the system and minimize the potential downtime for customers. Intelligent Locations’ team tests the Disaster Recovery Plan at least twice annually. Cloud services are set up such that end users face as little disruption and data loss possible, and Intelligent Locations is constantly working on improving to cover as many scenarios as possible.
In the event of a data breach, or failure in any of our policies, the Incident Response Plan is enacted.
