Security Statement
At Trazer Inc, we prioritized the security and confidentiality of our clients’ data. As part of our commitment to maintaining a secure environment, we have implemented a comprehensive set of measures to protect data hosted on the Azure platform. Azure follows strict guidelines and uses state of the art architectural and engineering approaches to guard against physical and environmental threats. It has extensive experience in designing, constructing, and operating large-scale datacenters.
Physical access is strictly controlled, both at the perimeter and at ingress points by security staff and video surveillance. All staff members pass two-factor authentication to access the datacenter. All visitors and contractors are required to present identification and are escorted by authorized staff. There are also fire detection and suppression, power, climate and temperature, and electromechanical support systems.
Physical Security
Our infrastructure is hosted and managed on Microsoft Azure. We rely on their secure infrastructure to store data across multiple cloud regions and availability zones.
Azure data centers are highly secure facilities that incorporate multiple layers of physical security controls, including access control, video surveillance, and 24/7 monitoring to protect against unauthorized access. Physical access to data center facilities is strictly limited to select cloud staff. They continually manage risk and undergo recurring assessments to ensure compliance with industry standards.
Data Center policies for handling fire detection, power loss, climate disasters, temperature control, data center management, etc. can be found on the data centers’ website:
Microsoft Azure: https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details
Data Encryption
- Encryption in Transit: We prioritize the security of data during transmission over networks. All communication with our Azure resources are encrypted using SSL protocol. This ensures that data transmitted between our systems and Azure is protected from interception or tampering.
- Database Encryption: TRAZER databases use Transparent Data Encryption to encrypt data at rest. It provides protection against the theft of our databases or backup files.
- Secure Configuration and Auditing: We configure our Azure resources to utilize encryption features effectively and follow Azure’s security best practices. We regularly review and update our configurations to ensure that encryption controls are properly implemented. Additionally, we leverage Azure’s auditing capabilities to monitor and track encryption-related activities, helping us identify any potential vulnerabilities or unauthorized access attempts.
Ongoing Evaluation and Improvement
We understand that the security landscape is constantly evolving, and we are committed to stay up to date with the latest encryption technologies and practices. We continuously evaluate our encryption measures, monitor industry developments and apply necessary improvements to strengthen our data protection strategies.
SYSTEM SECURITY
- Coding Standards & Development: We adhere to strict development processes and coding standards to ensure the best security practices.
- Application Security: Our system components undergo testing and source code reviews to assess the security of our application, architecture, and service layers. The TRAZER application uses EV Code Signing, it offers enhanced security, trust, and integrity. It protects against tampering, reduces the risk of malware distribution, and helps users make informed decisions about the software they run.
- System Configuration: Server and system access are limited to select senior staff whose activity is peer reviewed, monitored, and reported at regular intervals.
CUSTOMER DATA SECURITY
- Trazer Inc. Employee Access: All employees undergo pre-employment background checks and must agree to company policies including security policies. We provide ongoing security awareness training designed to keep all members of staff informed and vigilant of security risks. Trazer Inc. strictly follows the principle of least privilege, i.e, employees are only given access to securables that they require to perform their day-to-day operations. Password rotation policies are enforced. All data access permissions are reviewed every 90 days.
- Trazer Inc. Employee Onboarding Policy: All new employees are required to read and agree to both the security policy and the privacy policy. Additionally, within one week of employment, all new employees are required to complete HIPAA Privacy & HIPAA Security training; employment is contingent upon successful completion.
HIPAA Privacy & HIPAA Security
Trazer Inc. Exit Policy
During the employee exit process, all access for the employee exiting is removed.
Upon employment new employees sign a comprehensive confidentiality agreement that extends beyond their employment. Upon separation, existing employees are given a copy of the signed confidentiality agreement.
Disaster Recovery / Backup
We perform regular data backups to mitigate the risk of data loss. Our backup strategy includes automated and scheduled backups of critical systems and databases. We adhere to industry best practices and consider factors such as data volume, frequency of changes, and recovery time objectives to determine the appropriate backup intervals.
To maintain the confidentiality and integrity of backed-up data, we utilize encryption techniques. This ensures that even if backup files are compromised, the data within them remains protected and unreadable.
We regularly test and validate our disaster recovery and backup processes to ensure their effectiveness. This includes performing simulated disaster scenarios and recovery drills to verify the recoverability of data and systems. By conducting these tests, we identify any potential gaps or issues in our recovery procedures and take corrective actions to enhance our preparedness.
Vulnerability Management
Trazer Inc.’s vulnerability management process actively scans for security threats using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews, and external audits. Once a vulnerability requiring remediation has been identified, the assigned Trazer Inc. team logs it, prioritizes it according to severity, and assigns it to an owner. The team tracks each issue and follows up frequently until they can verify that it has been remediated.
Trazer Inc. also maintains relationships with and communicates frequently with members of the security research community to continually update internal best practices.
Security Capabilities – Customer Best Practices
Customers are responsible for and managing their Super Admin, Site Admin, and Providers, as well as Onboarding and Offboarding their users.
Password Protection
Super Admins, Site Admins, and Providers are responsible for maintaining the secrecy of their password and account information at all times. We recommend strong passphrases and regular password rotation.
On Site Security
No data is stored on the TRAZER XP Unit. The TRAZER XP System is cloud-based and information is securely stored as outlined above in a Microsoft Azure protected cloud.
Access to TRAZER is limited to individuals assigned by the Super Admin(s), which is the individual or individuals designated by the Customer to manage the TRAZER System on behalf of the Customer. Each of the following Customer Access Levels are password protected and are verified at every login by third-party authentication.
If the TRAZER software application (on the TRAZER unit) is dormant for up to 30-minutes, this can be set at intervals of 5 minutes by the Super Admin, all Admins and Users will be logged out. To ensure individual User data is valid, between exercises, Providers are prompted to confirm the User.
As an added layer of security, the ability to establish Personal Identification Numbers (PIN), may be required to access individual information. The use of PINs may be established at the sole discretion of the Customer and Super Admin.
Customer Access Levels
Super Admin
Highest level of management control and visibility across the entirety of the Customer’s use of TRAZER. The Super Admin may access all the information of every unit in every location and is responsible for assigning and managing Site Admins (access to a single system or all systems housed in a single physical location).
Super Admins manage the entire system with access to both the Application and TRAZER Portal.
Site Admin
Highest level of management of a single unit or location. The Site Admin has access only to the information for Users assigned to their unit or location via the Application or TRAZER Portal. The Site Admin may create Providers, at the sole discretion of the Super Admin.
Providers
Providers have access to the TRAZER Application and Portal with limited permissions at the sole discretion of the Super Admin or Site Admin.
Third-Party Authentication
All Admins and Providers are subject to third-party authentication upon login with no ability to “Save” passwords when accessing the Application via the TRAZER unit. All Admins and Providers are subject to third-party authentication upon login to the TRAZER Portal, the ability to “Save” passwords is dependent upon the browser used for access. It is the responsibility of the Customer to establish a regular password policy to ensure security.
In addition to the above, Customers are responsible for establishing Best Practices to ensure the security of their system and data. These may include, but are not limited to:
- Managing Admins and Providers to ensure security and confidentiality.
- Establishing an internal offboarding process to ensure system access is immediately removed upon exit/termination.
- Immediately informing Trazer of staff changes via their Customer Success Manager.
If you have any questions or concerns about this policy or how we manage security, please contact us at:
Trazer Inc.
629 Euclid Ave
11th Floor, Suite 1101
Cleveland, OH 44114
privacy@trazer.com
(440) 835-9191
Updated: 31 October 2023