Security

Security and Reliability Safeguards

At Coachific we know that our customers rely on us as an important part of their business processes and record keeping. We take our responsibilities to our customers seriously, and the security and reliability of the software, systems and data that make up the Coachific application are our top priority.

Overview

SSL Security

All information travelling between your browser and Coachific is protected from eavesdroppers with SSL encryption. The lock icon in your browser lets you verify that you aren’t talking to a phishing site impersonating Coachific and that your data is secure in transit.

Firewalls

The Coachific application – including your data – rests securely behind server firewalls.

Vulnerability Scanning

Coachific servers are scanned for vulnerabilities regularly by our server hosting provider. These scans test our servers both from the Internet and from inside the network, and any newly-identified problems are addressed as quickly as possible.

Strong Encryption

Particularly sensitive information – personal details, phone numbers, email, addresses, etc. – are encrypted in our database.

Physical Security

The Coachific servers are located in state-of-the-art US-based datacentres, which provide access controls, constant surveillance, redundant power feeds and generators, robust fire suppression, and carefully monitored climate control to protect the servers that store your data and manage your billing.

If you have any security concerns or questions feel free to contact us at mail@coachific.com.

Certifications

Our hosting provider is certified in the international standard ISO/IEC 27001:2013. By achieving compliance with this globally recognised information security controls framework, audited by a third-party, they have demonstrated a commitment to protecting sensitive customer and company information. That commitment doesn’t end with a compliance framework, but is a necessary baseline for security.

They are also an active participate in and comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce and the European Commission. The framework provides a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.

GDPR Compliance

Coachific addresses the guidelines set out by the GDPR and provides customers with features to properly manage client information stored in our system.

PCI Compliance

Payments processed through Coachific are done in a PCI compliant manner. We process subscription payments via Stripe and payments on your behalf via integrations with Stripe, which is a PCI Level 1 Service Provider. Your and your clients’ credit card data is not stored on Coachific servers.

Learn more about Stripe compliance: https://stripe.com/docs/security

Security In The Browser

We do not persist your password in your browser cache. We use secure cookies with limited lifespans. You will be asked to re-enter your login credentials if your session is idle for the allotted timeout period.

Encryption

All data sent between your browser and our servers are secured using the industry standard AES-256 bit encryption. We use TLS 1.2 to encrypt your data both between your browser and our servers and between our servers and other internal networks. Data stored on our servers are also encrypted using AES encryption algorithms.

Server & Backups

We store your data on encrypted hard drives on servers in North America.

Data backups are done nightly, so you can rest assured you won’t lose sensitive data in the unlikely event of a disaster. Backups are stored for 30 days, after which they are purged from our system.

Auditing

We use audit logs to record account changes and communication with your clients. Account changes include updates to your password and changes to your payment information and subscriptions.

Coachific and HIPAA

What is HIPAA?

HIPAA is the United States federal Health Insurance Portability and Accountability Act, which seeks to protect the confidentiality and security of healthcare information. Under the HIPAA Privacy Rule, “covered entities” (including health plans, health care providers, and health care clearinghouses) are required to use appropriate safeguards to protect the privacy of PHI.

When a covered entity uses a service provider – a “Business Associate” – such as a software provider to process PHI, it must make sure that the service provider agrees to properly secure PHI on behalf of the covered entity. This is typically achieved by contractually obligating the service provider to adhere to HIPAA privacy and security rules through use of a Business Associate’s Agreement (BAA) or Business Associates Contract.

Will Coachific sign a BAA?

The majority of businesses we serve are gyms and corporate wellness companies, or personal trainers, nutritionists and other fitness professionals. They do not fall under the scope of HIPAA.

Complying with HIPAA has two components – privacy protocols and infrastructure security. We already conduct routine security audits for vulnerabilities and have a strict data security process in place, which covers many of the best practices as outlined by HIPAA.

Entering into a BAA will require us to hire an accredited accounting firm to perform costly HIPAA audits every year, which we will need to ultimately pass on to our end users.

As such, we will not sign BAAs as most of our user base are not HIPAA covered entities.

If you do require HIPAA compliance, we sometimes provide custom HIPAA compliant hosting on request, however typically we advise you seek out a HIPAA compliant solution specific for your industry. Or, you need to seek legal advice from a licensed attorney with appropriate expertise and authorisation to practice in your jurisdiction what your exposure to HIPAA is and if continued use of Coachific is coherent with your HIPAA risk profile for a business of your size.

Coachific HIPAA and PIPEDA Compliant Servers

The Coachific servers supporting HIPAA / ePHI are located in compliant hosting solutions, making sure technical controls, backup management, safeguards and physical security policies are in place, all to verify that your data is secured to industry standards.

RequirementImplementation
CertificationSSAE-16 (formerly SAS70) & Safe Harbor Compliant
EncryptionData is encrypted during transfer (and for HIPAA / ePHI at rest).
Minimum Necessary AccessAccess controls always default to no access unless overridden manually.
Physical SecurityOur servers are maintained by an SSAE 18 provider which utilizes industry-leading security tools, and best practices.
MonitoringAll network requests, successful and unsuccessful, are logged.
AuditingAll log data is encrypted and unified, enabling secure access to full historical network activity records.
TenancySingle tenant dedicated server.
Vulnerability ScanningAll customer and internal networks are scanned regularly for vulnerabilities.
BackupAll customer data is backed up every 24 hours. Thirty (30) days of rolling backups are retained

A HIPAA BAA is available upon request. Contact us at mail@coachific.com if you have specific concerns about regulations outlined by your governing body.

Shared Responsibility

Health Insurance Portability and Accountability Act (HIPAA) and Protected Health Information (PHI) is especially pertinent for those practitioners or coaches (“customer”) in the healthcare industry and have a number of guidelines to ensure sensitive information remains secure and protected.

HIPAA Rules typically require that covered entities and business associates enter into contracts to ensure all PHI will be properly safeguarded. These contracts are typically referred to as the Business Associate Agreement (BAA).

Coachific will enter into a BAA with their technology hosts and providers (“partners”) to ensure HIPAA compliance in the cloud, however to maintain compliance, a customer must apply its own due diligence while using Coachific, in an approach known as the “Shared Responsibility Model”.

Coachific (together with its partners) is responsible for “Security of the Cloud”, namely protecting the infrastructure that runs all of the services offered in Coachific which is composed of the hardware, software, networking, and facilities that run Coachific services.

Data Center Physical System Security – SSAE-16 (formerly SAS70) & Safe Harbor Compliant

Minimize Risk of Loss and Theft: 24/7/365 Manned Facility, Closed Circuit TV Security Cameras, Monitored 24/7/365 by 3rd Party Security Company, Site Entrance Controlled by Electronic Perimeter Access Card System, Minimize Risk of Damage

High Security Facilities: Data Centers Privately Owned and Operated, Durable, Poured Concrete External Walls, Disaster Neutral Geographic Locations

Advanced Fire Prevention Infrastructure: Dry Pipe Preaction, Double Interlock System, NFPA 13 Compliant

Security Zones: Office Space Separate from Data Center Space, Advanced Proximity Credentials Required to Access Data Center, All Employees Receive Full Background Check, Key Locked Physical Server Rack Enclosures, Component Level Redundancy Available for Hard Drives, Hot and Cold Spare On-site Servers

Entry Security – Access Controls: Exterior Entrances Secured by Mantraps with Interlocking Doors, Access to the Data Center Space Requires Secure Credentials

Uninterruptible Power Supplies (UPS): Multiple N+1 MPS Generators, Multiple Fuel Contracts Ensure Fuel Availability for Generators, Multiple N+1 UPS Systems with 30 Minute Minimum Runtime, Redundant ASCO Closed Transition Bypass Isolation Transfer Switches

Network Configuration and Technical Security

Network Device Management: Hardware Cisco Firewall Devices with Full Management, Outbound and Inbound Traffic Filtering, Intrusion Detection/Intrusion Prevention Modules, Network Redundancy Ensures Failover, Diverse Connectivity Fiber Paths Into Building, Bandwidth Co-Op solution, Carrier Neutral.

Backup Management: Backed up to an off-site facility for disaster recovery in secure Data Centers – featuring SSAE-16, PCI compliance, Safe Harbor Certification.

Customer Responsibility

Customers are responsible for “Security in the Cloud”, namely performing all of the necessary security configuration and management tasks for access, data, communication, etc.

As a preliminary step customers should stop and evaluate if Protected Health Information (PHI) is absolutely necessary, as in many use cases often the same results can be obtained with de-identified health information.

De-identified Data

De-identified data is health information from a client record that has been stripped of all “direct identifiers” — all information that can be used to identify the person from whose record the health information was derived.

According to the Health Insurance Portability and Accountability Act (HIPAA), there are 18 direct identifiers that are typically present in patient medical records.

Names
Geographic subdivisions smaller than a state (e.g. street address, city and ZIP code)
All dates that are related to an individual (e.g., date of birth, admission)
Telephone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web universal locators (URLs)
IP address numbers
Biometric identifiers such as fingerprints and voice prints
Full-face photographic images
Other unique identifying numbers, characteristics or codes

Coachific adheres to the HIPAA defined “safe harbor” method to de-identify data, where all 18 identifiers are removed and client records are tracked by a unique Id number, all communication is via the application and appropriate audit trail modifications are made.

The “Shared Responsibility Model” must still be adhered to and a customer (coach) must apply their own due diligence while using Coachific to ensure de-identified data integrity.

Non De-identified Data

The de-identification of data is where identifiers are removed from PHI, which helps mitigate privacy risks to individuals. Moreover, the medical information can then be used in areas such as research, policy assessment, and comparative effectiveness studies.

If data within Coachific is not de-identified the following identifiers are available within the application.

Names
Gender
Height
Geographic subdivisions (e.g. street address, city, ZIP code and state)
All dates that are related to an individual (e.g., date of birth, admission)
Telephone numbers
Fax numbers
Email addresses
Device identifiers and serial numbers
Web universal locators (URLs)
IP address numbers
Full-face photographic images
Third-Party Service Providers (MyFitnessPal, Fitbit, FatSecret, Withings)

Responsible Disclosure of Security Vulnerabilities

If you are a security researcher and think you’ve found a security vulnerability with our service, product, or website please contact us at mail@coachific.com for details on how to report it to us.