Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

All Tidepool employees and subcontractors work remotely.

Some full-time Tidepool team members with privileged access reside outside of the United States. These international subcontractors are legally bound by the same confidentiality and security requirements as our US-based employees.

Live Search
spaceKey@self
additionalpage excerpt
placeholderSearch this space

Tidepool employees with critical production access

Access to servers is limited, logged and audited and defined explicitly using Role Based Access Control (RBAC).

Employees accessing our production database or applications authenticate using two-factor authentication.

  • We do not allow SSH or RDP access (or any other direct access to production systems, including database).

  • All connectivity to

systems using the root account; only accounts explicitly named in our configuration can access legacy EC2 hosts with a defined role. EC2 nodes contain only Analytics and Sandbox testing of new software/technology.

SSH is disabled on all production systems and enforced by configuration and policy. SSH is available only on legacy EC2 systems.

  • SSH key pairs use strong passphrases and no host can be accessed directly except via a Bastion host.

Login access to the AWS console uses two-factor authentication.

Page Tree

Tidepool employees with full
  • backend systems takes place within an AWS VPC over authenticated private network connections.

  • Admin and support access roles:

    • RBAC via OpenID Connect and OAuth2 (Google SSO)

    • All admin actions occur via an API gateway over TLS with full auditing/logging

    • All access for monitoring and troubleshooting takes place over API, there is no back end root account.

    • Application Security access changes are documented and approved via source code control

  • All login access to the AWS console requires two-factor authentication using a separated account (non-domain).

  • Use of access keys for service accounts is minimized via the use of IAM roles, with regular review and key rotation

Page Tree

Software engineers with software

Tidepool Employees Access Roles:

Full administrator access, including the production database (PHI):

Tapani Otala

Ben Derr

Todd Kazakov

Alexander Diana

7

Software deployment access for Tidepool Web

Clint Beacock

Chris McGee

Software engineers with software

: 2

Software deployment access for Tidepool Uploader

Gerrit Niezen

Chris McGee

Software engineers with software

: 2

Software deployment access for Tidepool Mobile

Nate Hamming

Pete Schwamb

Tapani Otala

Todd Kazakov
Tidepool employees with user support

: 4

User Support access in ZenDesk: 25

All full time
  • US Tidepool employees

(including full time contractors)
  • may provide user support and have access to end user account conversations in

their
  • a support capacity. These conversations may include discussion of PHI.

Tidepool employees with user

User support access in Tidepool Web

Some end-users may choose

: 14

  • Tidepool Web allows users to share

their Tidepool
  • account data directly with

support@tidepool.org
  • Tidepool within the application to assist with technical support questions and troubleshooting

. The following Tidepool employees have access to this account
  • .

Abby Bayer

Becky Cooney

Ben Derr

Chris McGee

Christopher Snider

Clint Beacock

Dave Cintron

Gerrit Niezen

Ginny Yadav

Howard Look

Nick Riggall

Tapani Otala