EBP Toolkit Security
Application Overview

EBP Toolkit is a SAS-based application used by mental health organizations and their health care providers. Our application allows mental health providers to administer, teach, and measure Evidence Based Practices in mental health.

Security Assessments and Compliance

EBP Toolkit's physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

For additional information see: https://aws.amazon.com/security

Secure Hosted Environment

EBP Toolkit's software is managed in a hosted environment provided by Heroku.com, physically managed by Amazon.com

Heroku and Amazon provides hosting privacy and security in a number of areas

  • Physical Security - Restricted access for Amazon.com data center employees.
  • Environmental Safeguards - eg. Fire Detection and Suppression, Climate and Temperature Control
  • Network Security - eg. Firewalls, DDoS Mitigation
  • Data Security - Database and secure access, Audit trails
  • System Security - Application isolation and and System Authentication.

For additional information see: https://www.heroku.com/policy/security

EBP Toolkit Application Safegaurds

Data Encrypted in Transit

EBP Toolkit encrypts all data that is transferred from browser to server and back using HTTPS.

Data Encrypted at Rest

All personally identifying data related to the patient are encrypted before being stored in the database using the Advanced Encryption Standard. Decryption keys are unique per organzation and stored separate from the database. Data are decrypted as they are delivered to the client in reports or displayed on a web pages.

Secure information such a passwords are encrypted as well as removed from log files. Passwords are not stored on the server in a decrypted format.