Data Security, HIPAA, and FERPA Policy

Updated as of 04/01//2022

Data Security

Hosting Provider

cielo24’s SaaS platform is hosted on Amazon AWS and/or Google Cloud Platform which meets an extensive list of global security standards, including ISO 27001, SOC, the PCI Data Security Standard, FedRAMP, the Australian Signals Directorate (ASD) Information Security Manual, and the Singapore Multi-Tier Cloud Security Standard (MTCS SS 584). For more information about the security regulations and standards with which AWS complies, see the AWS Compliance webpage. Comprehensive details on Amazon AWS security policies are available at https://aws.amazon.com/security/. cielo24’s AWS hosting is within the us-east-1a and us-east-1d zones and GCP in us-central1-a. 

Authentication

All interactions with the cielo24 system – be it through 3rd party services, the portfolio, or the cielo24 web interface is gated through the cielo24 API.

All cielo24 API access is controlled on a per-call basis by an api_access token parameter.

With the exception of `login`, every API call must be accompanied by a valid api_token or the call will be rejected. API calls accompanied by a valid api_token are referred to as authenticated requests.

Invalid accesses, unauthenticated requests, or requests made with revoked api_tokens are logged for intrusion detection and analysis.

Each api_token has the following properties:

  1. It is a 128-bit random value
  2. It is valid for an unlimited number of uses
  3. It will expire after 60 minutes of consecutive inactivity
  4. It is tied to a specific account (specified at its time of generation)

An api_token may be immediately revoked at any time by using it to make an authenticated call to the `logout` API endpoint.

Encryption 

All-access to the cielo24 APIs is over HTTPS/TLS, with clear-text HTTP access not permitted.

In addition, remote access to cielo24’s production servers is possible only through ssh over an encrypted VPN with a VPN client certificate assigned to each authorized user. Access is granted only to the CISO, and DevOps personnel.

In addition, customer credentials for the APIs are stored in hashed form – there are no clear-text passwords stored in the system. Lastly, communication with 3rd party services is performed using TLSv1 (or higher) encrypted connections.

Access Controls

Physical Access

cielo24’s production servers are located on AWS and GCP, and physical access is tightly controlled and limited to authorized AWS personnel per AWS security policies and Google Cloud Platform.

Software Access

All-access to the cielo24 APIs is over HTTPS/TLS, with clear-text HTTP access not permitted.

In addition, remote access to cielo24’s production servers within AWS is possible only through ssh over an encrypted VPN with a VPN client certificate assigned to each authorized user. Access is granted only to the CISO, DevOps personnel. 

Additional debugging/troubleshooting access is granted with a time limit, on a case-by-case basis to authorized R&D staff requiring prior approval by the CISO.

Source Code Access

Access to the cielo24 codebase is limited to individuals under strict confidentiality agreements and authorized as admins based on qualifications and role. All-access to the source code requires the use of two-factor authentication.

Alerting and Monitoring

cielo24 utilizes Sentry for exception logging, tooling to gather alerts and performance metrics, and stackdriver as a UI frontend to all the logged information, along with the standard monitoring services provided by AWS and GCP.  Real-time alerting occurs via email & SMS, based upon:

  • crashes
  • suspicious activity
  • unexpected usage
  • irregular activity levels
  • overloads

Access to the monitoring system requires authorization by the CISO.

System Logs and Audits

All API calls to the cielo24 system are logged.  This information includes, but is not limited to:

  • user-id
  • timestamp
  • request source
  • meta-data
  • API details

Additionally, all information related to login events, authentication failures, and permission check failures are logged.

System logs are stored on our servers. This information is only accessible to system administrators, and is used for troubleshooting purposes, and, as necessary, incident detection, analysis, and retrospectives.

Logs corresponding to actions performed by the system to complete a work product are retained for the lifetime of the work product.

System logs are retained for one month and application-level logs for work products for the lifetime of the work product.

Application Security Policies

All accesses to the cielo24 platform occur over one of the following touch-points

  1. The cielo24 API
  2. The integrations used to ingest and return assets
  3. The transcription tool used by cielo24 transcriptionists to process assets
  4. The review tool used by cielo24 customers to review and touch-up returned transcripts
  5. cielo24 HIPAA Policy 
  6. Each of these items is discussed below

cielo24 API

All interactions with the cielo24 system – be it through 3rd party services, the portfolio, or the cielo24 web interface are gated through the cielo24 API as described here.

All cielo24 API access is controlled on a per-call basis by an api_access token parameter.

With the exception of `login`, every API call must be accompanied by a valid api_token or the call will be rejected. API calls accompanied by a valid api_token are referred to as authenticated requests.

Invalid accesses, unauthenticated requests, or requests made with revoked api_tokens are logged for intrusion detection and analysis.

cielo24 Web Applications

The cielo24 web applications allow customers to provide user input, such as general form completion and media submission for processing. In order to secure such, input is sanitized, front end validated, back end validated, and “accept known good”. No unsanitized data is ever sent to databases. As for media, the files are transcoded, rejecting the work if the content does not pass a check for valid media.

Data Retention Policy

cielo24 retains customer work products based on customer requirements and for active customers. These requirements can include:

  • Immediate Return – in which case the data is scrubbed from the cielo24 system upon return of the work product
  • Defined Return – in which case the data is kept for a customer-specified period (e.g., 12 months)
  • Indefinite Return – in which case the data is kept for the lifetime the customer is active.

Note that in the case of Indefinite Return, there is no guarantee that the data will not be scrubbed from the system in less than 12 months.

Data scrubbing consists of removing the work products from the S3 buckets that they are stored in – this immediately invalidates all references to the work products, and ensures that it is no longer accessible.

cielo24 will provide support for all services up until the effective date of contract termination. Work products will be available for a period of twelve (12) months from the effective termination date of the contract. To retain access to the edit tool after this time, a customer can choose to opt-in to our Long-Term Data Retention service (LTDR). This will indicate to cielo24 that you wish to continue using the edit tool beyond the contract end date. It will also ensure your media and files are available on-demand (rather than requiring an Archive Retrieval Request). Media data in this regard refers to captions, transcripts, metadata, and references to the entry.

There are two options and two tiers available under our long-term data retention policies:

  1. Retain media and media data (Edit Tool)
  2. Retain media data only ( “Bring Your Own Media”)

The effective cost of this service is $1.00 per GB/month of content (any kind).

Data Separation Policy

Each customer account has a unique ID, that is associated with each asset and work product for that account. Each component within the cielo24 performs an associativity check to ensure that assets being processed by that component are “owned” by the customer account to that the asset belongs. A failure (accidental or malicious) immediately triggers an exception, and processing stops. Furthermore, content uploaded by a customer is only accessible via the cielo24, which performs the same associativity check, to ensure that only their content is accessible to them. Finally, upon completion of a job, the return handler component performs the same associativity check, to ensure that the work product is being returned to the account that owns the underlying assets.

This multi-layered process of validating account to asset association ensures that a customer’s data is truly separated from other customers at every level of the system

cielo24 Integrations

Integrations are the process by which the cielo24 platform ingests assets from customers, and returns the work products to them.  The integrations fall into two categories:

  1. API integrations, where the ingestion and return are embedded into the customer’s platforms, products, and services.  In these cases, the integrations are based upon the cielo24 API and use the authentication and access control mechanism described here.
  2. Direct Integrations, where the ingestion and return are via FTP, SFTP, “Private” YouTube channels, etc.  In these cases, the customer provides cielo24.com with the credentials to the appropriate direct integration facility (e.g. an API key), and these are then embedded into the integration.

In both cases, access to the assets is gated upon customer-provided authentication tokens such as an API key. Each such access is logged by cielo24, and an audit trail is maintained.  

Finally, invalid accesses, unauthenticated requests, or requests made with revoked api_tokens are logged for intrusion detection and analysis.

HIPAA

NOTE: The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the Health Information Technology for Economic and Clinical Health Act, are collectively referred to herein as “HIPAA.” Laws and regulations and how they are interpreted and enforced by courts and governmental authorities sometimes vary, including by size of customer, industry, territory, or jurisdiction and may change over time. This statement is designed to be a broad overview and is not legal advice, and we urge you to consult with your own counsel to familiarize yourself with the requirements that govern your specific situation. cielo24  complies with the provisions of the HIPAA Security Rule that are required and applicable to it in its capacity as a business associate in providing and operating the cielo24 Services. 

HIPAA Compliance Overview

cielo24 is HIPAA compliant and undergoes annual penetration testing. All staff are vigilant to protect privacy and security in all forms, including printed, spoken, and electronic forms. We ensure that our business associates and contractors who handle confidential data and information are fully complying with HIPAA and have business associate agreements when required to do so. cielo24 contributes to keeping confidential data and information secure in the cielo24  by implementing security safeguards that apply to all customers by default such as

  • Continually monitoring the services for security violations 
  • Encrypting all data in transit 
  • Protection of confidential data and information from accidental disclosure
  • We work with customers to limit the confidential data and information content they transmit to us
  • Storing user passwords in the SHA-256 one-way hash format 
  • Enabling audit logging that allows system administrators to track certain change activities
  • Providing customer administrators with configurable tools to maintain strict password security policies which govern access 
  • Providing customer administrators with configurable tools to define user-profiles and permission sets governing data visibility 
  • Providing customer administrators with configurable tools to define a company-wide sharing model, a role hierarchy, and security rules governing data access 
  • Employees are trained to ask the Privacy Officer when unsure about a particular confidential data and information disclosure
  • Compliance with retention and disposal of confidential data and information information
  • Employees are only able to access transcripts on an as-needed basis
  • Employee device policies

HIPAA Privacy and Security Officer

The company has appointed a Privacy Officer to oversee the development of privacy policies, ensure those policies are implemented, and updates them annually. The HIPAA Privacy Officer is also responsible for maintaining NPPs, scheduling training sessions and self-audits, and otherwise ensuring that the organization is compliant with the HIPAA Privacy Rule. The HIPAA Privacy Officer ensures procedures are in place to prevent, detect, and respond to confidential data and information data breaches. 

Security Safeguards

The Privacy Officer manages and gauges the effectiveness of all Security Safeguards.

  • Administrative Safeguards
    • Security management processes
    • designate security personnel, 
    • adopt an information access management system, 
    • provide workforce security training
    • periodically assess all security protocols
  • Physical Safeguards
    • Ensures control of who has access to physical facilities where confidential data and information is stored. 
    • They also secure all workstations and devices that store or transmit confidential data and information.
  • Technical Safeguards
    • Ensures employees only see data they’re authorized to see. 
    • Data is encrypted when it is at rest and during transit
    • Conducts audit controls for all hardware and software that manage or transmit confidential data and information to ensure they meet HIPAA network requirements. 
    • Audit control over all HIPAA related activity

Risk Assessments and Self-Audits

The Privacy Officer conducts risk assessments and Self Audits. Cielo24 conducts annual audits of all administrative, technical, and physical safeguards to identify compliance gaps. Organizations must then create written remediation plans that clearly explain how they plan to reverse HIPAA violations and when this will happen.

Breach Notification Protocol

The Privacy Officer conducts any breach notification rule requiring covered entities and business associates to report all breaches to OCR and to notify patients whose personal data might have been compromised. HIPAA-beholden organizations are required to have a documented breach notification process that outlines how the organization will comply with this rule.

Confidentiality and Staff Training

cielo24 staff have signed confidentiality agreements and are trained on all HIPAA compliance efforts — including privacy and security policies, risk assessments and self-audits, and remediation plans.  The staff adheres to all company data handling and reporting policies.

Data Collection and Usage

We protect and limit data exposure wherever possible. We do not collect information other than what is uploaded by users in Audio/video form and transcribed to text. We do not share or sell information we collect with third-party marketers. For additional information see our privacy policy and data security standards.

FERPA

NOTE: The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”). The FERPA statute is found at 20 U.S.C. § 1232g and the FERPA regulations are found at 34 CFR Part 99.

Compliance Overview

cielo24 privacy policy conforms to the Federal Family Educational Rights and Privacy Act of 1977 (FERPA). cielo24 does not share any captioning data, encrypts all the data being processed, has data scrubbing mechanisms and a customizable data retention policy, and requires anyone with access to agree to a confidentiality agreement.

According to FERPA, personally identifiable information in an education record may not be released without prior written consent from the student. For Institutions to be FERPA compliant in their relationship with cielo24, they must scrub all personally identifiable information from their multimedia content before sending it to cielo24 or else receive prior written consent from every student involved.

Personally, identifiable information is any information — directory and non-directory information — that can easily be traced to the student or distinguishes the student’s identity. This includes, but is not limited to the following:

  • date of birth
  • citizenship
  • disciplinary status
  • ethnicity
  • gender
  • grade point average (GPA)
  • marital status
  • SSN/student I.D.
  • grades/exam scores
  • test scores (e.g., SAT, GRE, etc.)
  • progress reports (degree audit)

For more information on cielo24 data protection please contact us at: [email protected]