Security Is Priority One

Security and data protection are our top priorities. ChartSwap is HITRUST certified, SOC II Certified and 100% HIPAA secure. We built our software on the SalesForce.com platform, which is recognized as having a leading security infrastructure with world-class physical, administrative and technical security safeguards. ChartSwap also has comprehensive information security and privacy policies. With advanced event monitoring, ChartSwap administrators can receive detailed reports, accounting for every action occurring on the system, so that any suspicious or unsafe activity can be identified and resolved quickly.

Why ChartSwap utilizes Force.com as our development platform

  • Experienced, professional engineers and security specialists dedicated to round-the-clock data and systems protection
  • Continuous deployment of proven, up-to-date security technologies
  • Ongoing evaluation of emerging security developments and threats
  • Complete redundancy throughout the entire infrastructure

Request And Send Records Safely and Securely Using ChartSwap

HITRUST Risk-Based, 2-year (r2) Certification

Information Protection Assurance

HITRUST Risk-based, 2-year (r2) Certification demonstrates that the organization’s *ChartSwap platform has met demanding regulatory compliance and industry-defined requirements and is appropriately managing risk. This achievement places ChartSwap in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards, and frameworks and incorporating a risk-based approach, the HITRUST Assurance Program helps organizations address security and data protection challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

SOC II Certified

SOC 2 Type II Certified

Verified Data Security

Chartswap is proud to have achieved SOC 2 Type II certification from the American Institute of Certified Public Accountants (AICPA), verifying our commitment to customer data security and stringent security practices.

To achieve SOC 2 Type II Certification, comprehensive audits of Chartswap’s security, availability, processing integrity, confidentiality and privacy controls is conducted annually. To learn more visit Assure Professional.

HIPAA Compliant

HIPAA Compliant & Secure Environment

Audited For Compliance

Chartswap’s internal controls and structures are meticulously audited for compliance with the strict requirements of the HIPAA Act.

Employee Education & Monitoring

In addition to constant security monitoring, we conduct employee background checks and provide HIPAA education to all employees to protect the health information obtained for our clients.

Monitoring Regulations

Our Privacy Officer monitors regulatory changes to mitigate the risk of potential data privacy and security breaches.

Record Access Management

Every time a user attempts to open a record, run a report, access a list view, or search for data using the user interface or API, Salesforce checks the configuration of its record access features to determine which records the user can access. These configurations are elaborate with hundreds of hierarchy nodes, sharing rules, millions of data rows.

File Encryption Policies

ChartSwap employs secure multi-factor encryption. We encrypt each file with a unique key. As an additional safeguard, the system encrypts the key itself with a master key that is regularly rotated. We use 256-bit Advanced Encryption Standard (AES-256) to encrypt data at rest.
All data and file transport is accomplished via HTTPS, with SHA-256 with RSA/TSL 1.2+ Encryption.

System Access Logs

All logins and access to metadata and files are logged by the system, with details down to the user’s IP address.

Authentication & IP Restrictions

Two-factor authentication, coupled with identity verification, ensure that only those who are authorized have access, whether they are approaching from within the organization’s network, or from an outside IP address.

Disaster Recovery & Business Continuity

ChartSwap’s disaster recovery and business continuity plans are outlined below:

  • Data Redundancy – All of our cloud partners have built-in redundancy in regards to metadata and files. This redundancy is implemented across different geographical regions, which protects against data loss and service interruptions.
  • Backups – In addition to built-in data redundancy on our technology partners’ platforms, ChartSwap independently backs up all data in real-time, allowing data to be restored should any system fail.
  • Website – ChartSwap’s customers access the application through a login link on our informational website. The site is protected by Cloudflare, which is designed to suppress DDOS attacks. In the event of a website outage, however, we can quickly reroute our DNS, so users land directly on the application login page, hosted by Salesforce.
  • Natural Disasters – ChartSwap’s cloud-based architecture is inherently more resilient than a traditional datacenter. For example: During Hurricane Harvey, ChartSwap’s office was completely flooded, and access to the office was limited for several months, yet our service continued to be fully functional without incident.

Administrative Safeguards

Comprehensive information security and privacy policies designed to meet the requirements of ISO 27001

Designated specialists and departments who are responsible for Force.com’s privacy and security program.

Limiting access to customer and protected health information to personnel who require such access to perform contractual obligations.
Training on information security and confidentiality during monthly new hire orientation and annual information security and privacy awareness training.

Technical Safeguards

  • Connection to the environment is via TLS cryptographic protocols, using global step-up certificates, ensuring that our users have a secure connection from their browsers to our service
  • Individual user sessions are identified and re-verified with each transaction, using a unique token created at login
  • Perimeter firewalls and edge routers block unused protocols
  • Internal firewalls segregate traffic between the application and database tiers
  • Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports
  • A third-party service provider continuously scans the network externally and alerts changes in baseline configuration
  • The Force.com service performs real-time replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center
  • Data are transmitted across encrypted links
  • Disaster recovery tests verify our projected recovery times and the integrity of the customer data
  • All data are backed up to tape at each data center, on a rotating schedule of incremental and full backups
  • The backups are cloned over secure links to a secure tape archive
  • Tapes are not transported offsite and are securely destroyed when retired

Force.com tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party assessments are also conducted regularly:

  • Application vulnerability threat assessments
  • Network vulnerability threat assessments
  • Selected penetration testing and code review
  • Security control framework review and testing
Force.com Information Security department monitors notification from various sources and alerts from internal systems to identify and manage threats.

Physical Safeguards

  • 24-hour manned security, including foot patrols and perimeter inspections
  • Biometric scanning for access
  • Dedicated concrete-walled Data Center rooms
  • Computing equipment in access-controlled steel cages
  • Video surveillance throughout facility and perimeter
  • Building engineered for local seismic, storm, and flood risks
  • Tracking of asset removal
  • Humidity and temperature control
  • Redundant (N+1) cooling system
  • Underground utility power feed
  • Redundant (N+1) CPS/UPS systems
  • Redundant power distribution units (PDUs)
  • Redundant (N+1) diesel generators with on-site diesel fuel storage
  • Concrete vaults for fiber entry
  • Redundant internal networks
  • Network neutral; connects to all major carriers and located near major Internet hubs
  • High bandwidth capacity

Data facility workstation policies that require personnel to store confidential information in secure locations, unattended workspaces to be secured, screens of unattended computers to be locked, and all portable computers disk drives to be fully encrypted are in force.

Redundant mirrored data centers on the West Coast and East Coast, with failover making interruption of service related to hardware problems or data issues minimally disruptive.

Ready To Securely Retrieve Medical Records?