Practice Better | Trust Center
Practice Better Trust Center
Our commitment to data privacy and security is embedded in everything we do.
See section

Compliance

HIPAA

CASA Tier 2

PIPEDA

GDPR

Monitoring

Continuously monitored by Secureframe
View all

Subprocessors

Amazon Web Services

Box Inc.

Carry Technologies Inc.

dbt Labs

Deepgram

Documo

Datadog

Google Cloud

HubSpot

View all

FAQs

Your data is encrypted both in transit (between the browser and our servers) and also at rest (when stored on our servers). We use AES-256 bit encryption while transferring your data to/from our servers. We encrypt and store data on our servers using the AES 256-bit encryption. AES-256 is the industry standard for storing and transferring sensitive data. All backups of your data are also encrypted using AES-256 bit encryption. We use TLS 1.2 to encrypt your data both between your browser and our servers and between our servers and other internal networks.
Yes, we use Amazon Web Services (AWS) and Box.com to store your data in the cloud.
We use Amazon Web Services and Box.com to store your data in the cloud. Our core infrastructure is hosted using these two services. We have Business Associate Agreements (HIPAA BAA) and Data Processing Agreements which requires these providers to meet the highest level of security and privacy for storing personal health information.
Any documents you upload to Practice Better will be stored in AWS. Any generated PDFs for completed forms, archived notes and protocols will also be stored here. We use Box.com to facilitate our "Document Preview" feature within the portal. This allows PDFs, Word Docs and other document types to be viewed directly from the website without having to install 3rd party extensions or download files to your computer.
We have HIPAA Business Associate Agreements and GDPR Data Processing Agreements with vendors which store and process data on our behalf.
We have access controls, role-based authorization and IP whitelisting in place to restrict unauthorized access to cloud data. Both AWS and Box.com adhere to strict SSAE 18 auditing and reporting standards for managing access to data stored in their systems.
Yes, these providers are mandated to provide options (which we utilize) to completely wipe data from their servers.
Data is replicated across multiple redundant servers within our environment which mitigates the risk of loss of connectivity with one or more nodes (this guidance is specific to our AWS infrastructure - database and file servers).
Third parties services are outlined in our Privacy Policy. Updates to this list of providers are generally communicated via this Policy.
You can export client data by following the instructions here: https://help.practicebetter.io/hc/en-us/articles/234807887-Exporting-client-records Your export will be provided as a Zip archive which includes spreadsheets of data included in the client file and documents associated with your client. Data you or your clients have created/uploaded to PB will be wiped completed from our system after 30 days either via automated batch processes or data retention rules defined in our infrastructure. For example, we have policies defined to limit database backups to a maximum of 30 rolling days. we run a nightly batch process to purge accounts (and related data) which have been marked for deletion by practitioner or client.
View all

Monitoring

Change Management

Approval for System Changes
System changes are approved by at least 1 independent person prior to deployment into production.
Configuration and Asset Management Policy
A Configuration and Asset Management Policy governs configurations for new sensitive systems
Secure Development Policy
A Secure Development Policy defines the requirements for secure software and system development and maintenance.
Production Data Use is Restricted
Production data is not used in the development and testing environments, unless required for debugging customer issues.
Change Management Policy
A Change Management Policy governs the documenting, tracking, testing, and approving of system, network, security, and infrastructure changes.
Software Change Testing
Software changes are tested prior to being deployed into production.

Availability

Automated Backup Process
Full backups are performed and retained in accordance with the Business Continuity and Disaster Recovery Policy.
Business Continuity and Disaster Recovery Policy
Business Continuity and Disaster Recovery Policy governs required processes for restoring the service or supporting infrastructure after suffering a disaster or disruption.
Backup Restoration Testing
Backed-up data is restored to a non-production environment at least annually to validate the integrity of backups.
Uptime and Availability Monitoring
System tools monitors for uptime and availability based on predetermined criteria.

Organizational Management

Performance Review Policy
A Performance Review Policy provides personnel context and transparency into their performance and career development processes.
Performance Reviews
Internal personnel are evaluated via a formal performance review at least annually
Disciplinary Action
Personnel who violate information security policies are subject to disciplinary action and such disciplinary action is clearly documented in one or more policies.
Information Security Policy
An Information Security Policy establishes the security requirements for maintaining the security, confidentiality, integrity, and availability of applications, systems, infrastructure, and data.
Background Checks
Background checks or their equivalent are performed before or promptly after a new hires start date, as permitted by local laws.
Independent Advisor
The board of directors or equivalent entity function includes senior management and external advisors, who are independent from the company's operations. An information security team has also been established to govern cybersecurity.
Roles and Responsibilities
Information security roles and responsibilities are outlined for personnel responsible for the security, availability, and confidentiality of the system.
Organizational Chart
Management maintains a formal organizational chart to clearly identify positions of authority and the lines of communication, and publishes the organizational chart to internal personnel.
Internal Control Policy
An Internal Control Policy identifies how a system of controls should be maintained to safeguard assets, promote operational efficiency, and encourage adherence to prescribed managerial policies.

Confidentiality

Data Retention and Disposal Policy
A Data Retention and Disposal Policy specifies how customer data is to be retained and disposed of based on compliance requirements and contractual obligations.
Disposal of Customer Data
Upon customer request, Company requires that data that is no longer needed from databases and other file stores is removed in accordance with agreed-upon customer requirements.
Data Classification Policy
A Data Classification Policy details the security and handling protocols for sensitive data.

Vulnerability Management

Vulnerability Scanning
Vulnerability scanning is performed on production infrastructure systems, and identified deficiencies are remediated on a timely basis.
Vulnerability and Patch Management Policy
A Vulnerability Management and Patch Management Policy outlines the processes to efficiently respond to identified vulnerabilities.
Third-Party Penetration Test
A 3rd party is engaged to conduct a network and application penetration test of the production environment at least annually. Critical and high-risk findings are tracked through resolution.

Incident Response

Lessons Learned
After any identified security incident has been resolved, management provides a "Lessons Learned" document to the team in order to continually improve security and operations.
Tracking a Security Incident
Identified incidents are documented, tracked, and analyzed according to the Incident Response Plan.
Incident Response Plan
An Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning and tracking confirmed incidents through to resolution.
Incident Response Plan Testing
The Incident Response Plan is periodically tested via tabletop exercises or equivalents. When necessary, Management makes changes to the Incident Response Plan based on the test results.

Risk Assessment

Risk Assessment
Formal risk assessments are performed, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats.
Vendor Risk Management Policy
A Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle.
Risk Assessment and Treatment Policy
A Risk Assessment and Treatment Policy governs the process for conducting risk assessments to account for threats, vulnerabilities, likelihood, and impact with respect to assets, team members, customers, vendors, suppliers, and partners. Risk tolerance and strategies are also defined in the policy.

Network Security

Automated Alerting for Security Events
Alerting software is used to notify impacted teams of potential security events.
Network Security Policy
A Network Security Policy identifies the requirements for protecting information and systems within and across networks.
Endpoint Security
Company endpoints are managed and configured with a strong password policy, anti-virus, and hard drive encryption

Access Security

Access to Product is Restricted
Non-console access to production infrastructure is restricted to users with a unique SSH key or access key
Removal of Access
Upon termination or when internal personnel no longer require access, system access is removed, as applicable.
Asset Inventory
A list of system assets, components, and respective owners are maintained and reviewed at least annually
Access Control and Termination Policy
An Access Control and Termination Policy governs authentication and access to applicable systems, data, and networks.
Unique Access IDs
Personnel are assigned unique IDs to access sensitive systems, networks, and information
Encryption and Key Management Policy
An Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.

Physical Security

Physical Security Policy
A Physical Security Policy that details physical security requirements for the company facilities is in place.

Communications

Privacy Policy
A Privacy Policy to both external users and internal personnel. This policy details the company's privacy commitments.
Communication of Critical Information
Critical information is communicated to external parties, as applicable.
Communication of Security Commitments
Security commitments and expectations are communicated to both internal personnel and external users via the company's website.
Terms of Service
Terms of Service or the equivalent are published or shared to external users.