Security and Data Protection FAQ
Where can I find more information about LifeOmic Security?
See the LifeOmic Security Site. The information here includes HITRUST certification and policies, standards, and procedures. The security section of the Corporate Site also has additional security information.
Where is LifeOmic's Security and Bug-Bounty Program?
LifeOmic maintains an active bug-bounty program and a LifeOmic Hacker leaderboard. To learn more about LifeOmic's Security Program visit: https://lifeomic.com/security
Where does LifeOmic store customer data?
Data is stored in secure, virtually air-gapped production environments hosted in Amazon Web Services (AWS). This includes a combination of Amazon Simple Storage Service (S3), Amazon Relational Database Service (RDS), and Amazon DynamoDB (a NoSQL database service). All platforms and services are HIPAA compliant.
Is customer data encrypted?
Yes, all data is encrypted in transit and at rest. All data stored on the LifeOmic Platform is encrypted using strong 256-bit AES encryption. All data sent to and from the LifeOmic Platform is encrypted using Transport Layer Security (TLS / HTTPS). These are industry standards used by the largest financial institutes and technology firms around the world. LifeOmic internal employees have no access to customer data in production by default. All access to production is restricted via multiple gates enforced by the security team.
How is data separated between customers?
Each customer’s data is logically separated at the database/datastore level using a unique identifier for the customer account. The separation is enforced at the API layer where the client must authenticate with a chosen account and then the account unique identifier is included in the access token and used by the API to restrict access to data to the account. All database/datastore queries then include this account identifier.
Additionally, the LifeOmic Platform implements Attributed-Based Access Control (ABAC) to grant access to data within each customer account. ABAC allows stronger and more granular data access / authorization policies compared to simple Access Control Lists (ACLs) and Role-Based Access Control (RBAC).
How long is customer data stored?
Customer data is retained for as long as the account remains active. Data enters an expired state when the account is closed. Expired account data will be retained for 14 days. After 14 days, the project/account and related data will be removed. Customers that wish to close their account should download their data manually or via the API prior to closing their account.
Does LifeOmic support Single sign-on (SSO) and Multi-factor authentication (MFA)?
The LifeOmic Platform uses Amazon Cognito for Simple and Secure User Sign-Up, Sign-In, and Access Control. MFA and two-step verification is fully supported. Customers are responsible for enabling it for their user account. It is highly recommended that all customers enable MFA in addition to using a strong password. Additionally, LifeOmic supports sign-in with social identity providers, such as Facebook and Google, and enterprise identity providers via SAML 2.0.
What is MFA?
Multi-factor authentication, or MFA, is a strong authentication mechanism that uses at least two factors from these three categories:
- Something you know (e.g. password)
- Something you have (e.g. a token or smart device)
- Something you are (biometrics, e.g. fingerprint, retina, or facial scan)
Two-factor authentication (2FA) is one type, or a subset, of MFA.
Two-step verification / authentication, in comparison, leverages smart phones to send an SMS text message or direct push notification to an app installed on the device. This also significantly improves account security, but it is not a true form of 2FA/MFA.
What type of security assessments and audits are conducted against the LifeOmic Platform?
The LifeOmic Platform is validated against numerous internal and external security assessments/audits every year, including HIPAA compliance audit and HITRUST CSF Certification.
Does LifeOmic conduct penetration testing?
Yes, penetration testing is conducted continuously throughout the year and with each major application change by both internal and external penetration testers, white hat hackers and security researchers.
What type of security assurance does LifeOmic provide on its software?
LifeOmic software conforms to the highest standard of security throughout its development lifecycle, including:
- Security considerations and/or threat modeling are included during software design phase;
- Each code commit must be peer reviewed and approved by an engineer other than the author;
- Open source vulnerability scanning and static application security testing;
- Dynamic application security scanning and penetration testing; and
- Each deployment to production must undergo a change management approval process.
This secure DevOps process ensures security is built-in, not bolt-on to every component of LifeOmic software. Additionally, LifeOmic applications and services in production are protected by AWS Web Application Firewall, API Gateway, and Cloudfront to protect against cyber threats such as SQL injection, cross-site scripting (XSS) and distributed denial-of-service (DDoS) attacks.
How does LifeOmic Platform's architecture improve security?
The LifeOmic Platform is designed on a Micro-services Architecture, heavily leveraging Docker containers and AWS Lambda functions. The containers and Lambda functions are short-lived – they are spun up as soon as a request comes in and are terminated right after their job is complete. Each Lambda function is active for no more than five minutes. Each container or function operates in an individually isolated processing environment.
The ephemeral nature of our computational instances not only makes our services extremely scalable, but also virtually impenetrable. This operating model minimizes persistent attack surface and blast radius, making it virtually impossible for any Advanced Persistent Threat (APT) to gain a foothold, replicate in the environment, and exfiltrate data.