Safety
Security - we take it seriously.
At SpeechFit, safety is one of our core values and we go to great lengths to keep you and your data safe. Below you will find some of the things we do to keep your data safe, along with frequently asked questions. Contact us if you would like to know more.
Bank-Grade IT Security
You trust us with your data; it is our responsibility to govern it wisely. That is why your data is protected by bank-grade security.
PHI and PII
When it comes to handling Personally-Identifiable Information and Private Health Information, SpeechFit supports and adheres to the Australian Privacy Principles as set out by the Office of the Information Commissioner (OAIC).
SpeechFit is HIPAA-compliant. As covered entities, clinics who join SpeechFit agree to our BAA.
Infrastructure Certifications
SpeechFit is built on infrastructure that has been tested and validated by third-party auditors across ISO, PCI, SOC, and other certifications.
SOC 1/ISAE 3402, SOC 2, SOC 3
FISMA, DIACAP, and FedRAMP
PCI DSS Level 1
ISO 9001, ISO 27001, ISO 27017, ISO 27018
HIPAA
HITECH
Encryption at Rest
All data that is consumed or produced by the application or our cloud-based infrastructure is encrypted at rest.
Encryption in Transmission
When transmitting data between the application and our cloud-based infrastructure, we utilise 256-AES encryption and all API connections use SSL.
256-AES encryption is the only publicly accessible cipher that is approved by the NSA (National Security Agency) for encrypting top secret documents.
API-Level Security
We use cutting-edge technologies to eliminate data risk. No users can access your data without you first granting permissions - this is enforced at numerous levels. Unauthenticated access to our API is not available.
Each request to our API is signed with a single-use cryptographic hash. Our API then uses several randomly-generated unique identifiers that must resolve against your sharing settings before access to your data is granted. Furthermore, each piece of data may have different permissions, ensuring that only what you want your clinician (or client) to see is available to be queried. This is in addition to the numerous protections we include before making requests.
We do not use API keys, preferring JSON Web Tokens, a technology allowing transmission of data between parties in a way that requests can be signed, and any tampering during transmission can be identified once received. Apple authenticates their APIs with JSON Web Tokens. We use JWTs where other methods are not suitable.
Stripe's verification API ensures that your services are provisioned regularly without risk of interference.
Database Design
Our database structure, and the hosting thereof, adheres to the strictest standards of data security.
Best Practices in Application Design
We have architected the application in line with best practices in regard to data security, interfacing with APIs, persisting information such as cookies (we don't store PII in cookies or rely on cookies to run the application), maintaining timeout limits, and a number of other protections geared around ensuring that, if you are using a device with multiple users, your data will not be compromised when another user logs on to the device.
2FA
Access to our third party providers are protected by 2FA.
Clinician accounts can turn on 2FA before they invite their first client. Clients may also turn on 2FA.
Please note: if you are signing in with Google, 2FA is handled by Google. Any Google 2FA settings will apply when logging in to SpeechFit with Google.
Culture & Personnel
Security runs in the culture. As such, we select individuals who demonstrate congruence with our culture of safety and security, not only before we begin working with them, but throughout the duration of our association.
Below you will find some of the things we do to promote a culture of safety and security at SpeechFit.
Background Checks
Background checks and National Police Checks are mandatory for all employees, contractors or associates who may, at any time, handle your personal information, or have access to our IT systems. This includes software engineers, marketing personnel who may see limited personal information such as your name and email address, and customer success personnel who may need to access basic, account-level details to provide assistance.
While SpeechFit has no physical presence within clinics at this time, if at any time SpeechFit were to provide services that would require an employee, contractor, or associate to enter a clinic or be in the vicinity of children, Working with Children Checks would be additionally mandatory.
Preparedness
Even though we invest in keeping you and your data safe, SpeechFit remains prepared. This involves:
Data Breach Preparedness Plan
Regular Security Audits
Exit Procedures for Employees, Contractors and Associates
All Employees are required to undergo security training at least once a year
-----
When we say, reach out to us with any questions, we mean it! Let us know if there is anything we can answer for you.
Frequently Asked Questions
Where is my data hosted?
For customers in Australia and New Zealand, your data is hosted in Melbourne and Sydney. For customers in the USA, your data is hosted in Ohio. For customers in Canada, your data is hosted in Montreal. For customers in the UK, your data is hosted in London and Ireland. All other customers have their data hosted in the closest data centre.
Have you ever had a data breach?
No. SpeechFit has never had a data breach.
Can I get a copy of my data?
You certainly may! Email us at hello@speechfit.io. Not only would we be happy to do so, it is your right under the Australian Privacy Principles.
Can you delete my data?
Yes! Just email us at hello@speechfit.io. Please bear in mind that, if your data is deleted and there is no backup, it will be gone forever.
How do I contact you to report a security concern?
Email us at hello@speechfit.io. We take your concerns seriously and will get back to you as soon as possible.
