Logging and auditing

Sumo Logic is used to capture, monitor, and analyze server-side logs.

Rollbar is used to capture, monitor and analyze client-side software logs.

Kissmetrics is used to capture user activity logs (data access, in-app-activity)

Crashlytics is used to capture crash reports from mobile clients.

Search this space

Tidepool maintains a Business Associate Agreement for HIPAA compliance with both SumoLogic and Rollbar for handling of PHI.

Sumo Logic Application service logs and analysis are available to six employees who maintain Tidepool's infrastructure. Rollbar logs are available to all developers.

Monitoring, audit controls, and system activity review is documented and complies with 45 CFR 164.308(a)(5)(ii)(C)45 CFR 164.312(b), and 45 CFR 164.308(a)(1)(ii)(D).

Tidepool implements administrative safeguards compliant with 45 CFR 164.308(a)(1) and has addressable safeguards compliant with 45 CFR 164.308(a)(3).

All application logs are stored on encrypted filesystems in Virtual Private Clouds (VPC) as described in System Architecture. Access logs to instances containing PHI are maintained via operating system logging mechanisms.

All logs are stored and verified with integrity protection or checksums to provide information to validate integrity of all log and audit data.

Where possible, logs are stored in write-only media, with no capability to modify the data.

Where possible, logs are sent off the host/application they are operating in, to provide additional integrity and mitigate the possibility of log modification.

Audit activity as defined by our Operations Security Policy:

  • Log user log-in and log-out

  • Log CRUD (create, read, update, delete) operations on application and system users and objects

  • Log security settings changes (including disabling or modifying of logging)

  • Log application owner or administrator access to customer data (i.e. Access Transparency)

  • Logs include user ID, IP address, valid timestamp, type of action performed, and object of this action.

  • Logs are stored for at least seven (7) years, or until they are no longer needed, whichever is longer.

At this time, Tidepool retains operation logging and audit trails indefinitely.

The content of the Tidepool Technical Documentation is licensed under a Creative Commons CC0 1.0 Universal (CC0 1.0) Public Domain Dedication.