Tidepool's Business Associate Agreements with Subcontractors

Tidepool inherits many security controls from our cloud vendors, particularly AWS, who provide the majority of our compute hosting services either directly or indirectly. For reference, we provide links to the compliance documentation for these providers certifications below. Due to internal security or confidentiality concerns, some entities do not provide detailed compliance information publicly, but known references are below.

Controls inherited or that are shared responsibility with AWS, Google and other cloud providers include, but are not limited to Physical Security, Data Center Security, Data Destruction, Network Security Controls, System Inventory

• Amazon for Amazon Web Services

  • AWS provides all their security audit and compliance documentation through the AWS platform service Artifact.

    • A free personal AWS account can be created to access this documentation if required

• Google for G Suite (email, drive and Google Docs) and Google Compute Platform

  • Google provides all its compliance documentation from their Compliance Reports Manager

• Rollbar, for HIPAA-compliant client-side logging, monitoring and analysis

  • https://docs.rollbar.com/docs/security

• Sumo Logic, for HIPAA-compliant server-side logging. monitoring and analysis

  • https://www.sumologic.com/security/platform-security/

• ZenDesk, for HIPAA-compliant customer support ticketing and knowledge base. Found at support.tidepool.org

  • https://www.zendesk.com/product/zendesk-security/#artifacts

• MongoDB Atlas, for HIPAA-compliant database software, hosting and services

  • https://www.mongodb.com/cloud/trust#compliance

• Marketo, for HIPAA-compliant marketing communications tasks

  • https://www.marketo.com/company/trust/security/

Prior to entering into a BAA with a subcontractor, Tidepool performs a security and risk evaluation for each service and its integration into Tidepool services evaluating the following elements:

• Security - encryption, authentication/SSO/MFA, authorization, logging, auditing, access control

• Operations - metrics, reporting, availability, backup, data retention/re-use, continuity of service/data re-use

• Regulatory - BAA implementation, service agreements

• Legal - data location, storage, destruction, area of operations, company geographic location

• Disaster Recovery/Continuity - data export, backup, re-use, continuity/data transformation/recomposition