Security FAQ
Last Updated February 2024
Introduction
Acid Remap LLC (“Acid Remap”) strives to provide, at a minimum, industry-standard security for all of our customers throughout all of our processes. This Security Policy FAQ is intended to address common concerns of Information Technology departments that are frequently part of a security questionnaire. It is provided upon request to all clients and prospective clients.
This is a living document and we will add to it as there are additional frequently asked questions.
Specific questions, as well as custom security questionnaires, will be answered for prospective Enterprise-model clients. Please note that this document is the only security information that Acid Remap will provide for non-Enterprise-model clients, including Branded-model clients.
Key Personnel
Oded Wurman, Chief Executive Officer,
acting Chief Information Security Officer
415-967-2243
oded@acidremap.com
Benjamin Powers, Chief Operating Officer
bpowers@acidremap.com
Joseph Chellman, Chief Technical Officer
joe@acidremap.com
Description of Solution
Acid Remap provides document management, storage, and mobile app distribution to employees and contractors of our clients, on a contract basis. Although we are focused on EMS protocols and supporting documentation, our solution can be applied to any type of document set.
Acid Remap created the Paramedic Protocol Provider app and supporting platform, upon which we build white-label apps for our Branded- and Enterprise-model clients.
The target audiences for our product are your management staff (for the platform and portal) and employees/contractors (for the mobile app).
Architecture Overview
Protocol Authors and Maintainers can deliver updates via the self-service web portal, or by sending documents to Acid Remap staff for processing. User access is managed by agency administrators or Acid Remap staff as needed. Protocol documents are then processed and uploaded to the platform, where they are available for download by end users after QA review.
End users can download the app from the Apple App Store or Google Play Store, and access the documents offline. Notifications of new protocol updates are delivered in-app. Updates to the apps are delivered by the app stores themeselves.
Platform
Acid Remap LLC provides a web-based administration portal for its platform. We also provide mobile apps for the iOS and Android operating systems.
The infrastructure powering the mobile apps runs on Amazon Web Services (AWS). The API servers are built using the Elastic Beanstalk platform, and run the Django application framework for the Python programming language. The web-based portal is a static web application served by S3 and Cloudfront.
Agreements
Our services are provided under a subscription agreement with our clients. We have an End User License Agreement between ourselves and the end user. Both of these are negotiable for Enterprise-model clients.
A Service-Level Agreement and Data Security Agreement are available for our Enterprise-model clients.
Maintenance and Uptime Reporting
Minor security patches are performed on an ongoing, automatic basis by AWS for the platform infrastructure. The public-facing web server runs updates every one to two weeks.
Application releases are performed as-needed, usually once or twice a month.
Any critical security updates for zero-day exploits or other highly time-sensitive updates are performed as close to immediately as possible.
Maintenance windows and overall system status are always available on the Acid Remap status page: status.acidremap.com.
Software, Hardware, and Remote Access
Acid Remap LLC does not provide any hardware, nor do we require any remote or physical access to client locations or data centers.
Acid Remap instances are patched on a weekly basis, with the exception of our bastion hosts which are patched immediately on boot and terminated when not actively in use.
Data and Encryption
- All data on Acid Remap servers encrypted at rest using AWS S3-managed keys (AES-256).
- All network traffic is encrypted using a minimum of TLS1.2.
- Data on the end-user’s device is encrypted using default iOS and Android encryption. It is up to the client and their users to enforce good security practices for users’ devices.
- Acid Remap only uses data centers in the United States except as otherwise specifically required by a client. Therefore, unless otherwise specified by a client, all data is stored in the United States.
- Data is maintained for the benefit of the client for a minimum of 7 years after publication. Data can be destroyed after the expiration of this 7-year period on request. Destruction of data on a shorter time-frame is available for Enterprise-model clients.
- Data is logically isolated between clients by Acid Remap’s code. Isolation in a separate VPC is available for Enterprise-model clients.
Password and Account Policies
Acid Remap Cloud Service Provider (CSP) Accounts
Acid Remap trains our employees to use strong, safe, and unique passwords, emphasizing the benefits of password managers. Multi-factor authentication (MFA) is required for Administrators with direct access to client data via the CSP.
Acid Remap will promptly revoke access to any terminated employees and will conduct a quarterly review to ensure that no users have been missed.
End User Accounts
End user passwords are required to pass the following Django validators:
- UserAttributeSimilarityValidator
- MinimumLengthValidator
- CommonPasswordValidator
- NumericPasswordValidator
End user accounts require verification of emails via an automatically generated verification link.
HIPAA, PHI, and PCI
Acid Remap does not store or accept PHI or PCI. We are not HIPAA compliant at this time and cannot sign a Business Associate Agreement.