With the following exceptions, no other user can see your information, activity, and results. Your Quality Systems account information, activity, and results are PRIVATE.
- In order to join an organization on the Quality Systems, you must agree to share some account information with that organization. In addition, if you participate in a private plan study or contouring exercise sponsored by that organization, your results will be available to the organization's administrators.
- A user has the ability to share their own Quality Systems accomplishments as a PDF report rendered by the Quality Systems Achievement System. This is an optional feature and only each user has access to their own achievements.
- If a user has an excellent result in a Plan or Contouring Study (i.e., a "High Performer"), that user's name and institution may be added to a presentation slide and/or included on the Quality Systems blog. He/she may also be asked to give an interview on their techniques for that particular plan, which would also require their name and institution, but this is optional.
What is it?
The General Data Protection Regulation (the GDPR) replaces the 1995 EU Data Protection Directive (the Directive) effective May 25, 2018. The GDPR is EU legislation which strengthens privacy regulations for companies handling the personal data of EU citizens by adding provisions that grants new rights to individuals. It also includes harsh penalties for companies that violate the regulations.
While the Directive applies only to organizations in the EU, the GDPR will apply to any entity which a) markets their products to people in the EU or which b) monitors the behavior of people in the EU.
Why is it important?
While the GDPR introduces new requirements for protecting EU citizens' data, following GDPR policies is simply the right thing to do. We believe that your privacy is important, and we strive to:
- Limit the data we process.
- Keep you informed about how we process your data.
- Ensure you have the ability to keep your data up to date or remove your consent to allow the Quality Systems to process your data.
Training and Awareness
We are a small team, and every member of our team is committed to ensuring your data is kept private and secure. We are committed to develop a training program in preparation for the May 25 deadline and will conduct regular user privacy training with employees beyond this deadline.
Data Protection Impact Assessments
We have implemented a process for determining whether a Data Protection Impact Assessment (DPIA) is necessary and, if it is, how it is conducted. The DPIA is special type of risk assessment in which we identify data privacy risks and develop risk mitigation strategies. Any time we introduce a change to the way we handle personal data, our product team will determine the possible impact on user privacy and data security. We will keep this process up to date as the Quality Systems grows and matures.
Third Party Vendor Contracts
We are incorporating DPAs (Data Processing Addendums or Data Processing Amendments) into our third party vendor contracts and reviewing their GDPR compliance.
Individual Data Subject's Rights - Data Access, Portability and Deletion
We have put a breach management protocol into place, which includes processes for assessing the impact of the breach, reporting the breach, and notifying data subjects of the breach and its potential impact.
We utilize Amazon Web Services (AWS) for all of our hosting requirements. AWS is the leader when it comes to Infrastructure-as-a-Service (IaaS) providers and represents one of the most trusted names in cloud-hosting.
AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. By selecting AWS as its infrastructure provider, the Quality Systems inherits the benefits of the most comprehensive, secure, scalable, and performant cloud-based environment available today.
For more specific details regarding AWS security, please refer to https://aws.amazon.com/security/.
All Quality Systems data is stored in HIPAA compliant AWS infrastructure, housed in Amazon-controlled, nondescript data centers. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. AWS also employs state-of-the-art systems for fire detection and suppression, power management and backup, and climate and temperature monitoring within their data centers.
Application Architecture and Design
We follow AWS security best practices when it comes to designing our network architecture and access model. We utilize Amazon Virtual Private Cloud (VPC) configurations to create private networks within AWS that logically separate production environments from other development or testing environments. Furthermore, each VPC is designed such that the minimum number of resources are directly exposed to the internet, thereby minimizing the potential attack surface of each VPC.
All data transmission both to and from the internet is encrypted using secure HTTP access (HTTPS) and all communication between servers is encrypted using HTTPS or SSL. Furthermore, all data is encrypted at rest using industry standard encryption techniques.
Engineering Change Management
As a cloud-based system, we are able to rapidly deploy updates in response to usability issues or newly discovered user needs, however, this requires a high-degree of confidence in the software change management system. Our development team utilizes a combination of Test-Driven Development, continuous integration, and manual code reviews to perform comprehensive testing and review of all critical systems prior to any code being approved. This ensures that all new and existing functionality is working properly prior to release. Furthermore, all code reviews must be performed by a member of the development team who is knowledgeable in the area undergoing changes, but not directly involved in its implementation. This ensures segregation of incompatible duties throughout the change management process.
We also perform automated nightly security vulnerability scans to ensure any newly discovered code vulnerabilities are quickly addressed. These scans analyze both the Quality Systems codebase as well as any of its dependencies for known vulnerabilities.
Finally, the Quality Systems team actively monitors relevant security notification digests, reports, and feeds to ensure any infrastructure or operating-system vulnerabilities are identified and resolved in a timely manner.
As important as it is to employ effective change management during the design and development phases, it is equally important to utilize effective change management during the transfer and deployment phases. As such, before any code changes are deployed to production, they are first deployed to a staging environment that simulates the production environment in terms of both virtual resources and network topology. Relevant verification and validation tests are performed in this staging environment prior to production release to ensure that all systems are performing as designed and all requirements are met in an environment that most closely resembles the production system. Only after all verification and validation has been completed and approved are changes deployed to the production environment using an automated deployment procedure.