Security and Compliance

OpenEvidence is committed to carefully protecting and securing your data and ensuring that OpenEvidence.com is always available when you need it. We use a variety of industry-standard technologies and services to safeguard your data from unauthorized access, disclosure, use, and loss, and are constantly monitoring and improving our products and services.

We fully comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA), including the HIPAA Privacy, Security, and Breach Notification Rules. We have implemented stringent security measures and organizational safeguards to protect the confidentiality, integrity, and availability of Protected Health Information (PHI) and other sensitive data.

Infrastructure Security and Reliability

Cloud platform security

OpenEvidence's services are primarily hosted on Google Cloud Platform and Vercel, industry leaders providing highly scalable and secure cloud computing platforms. We leverage Google Cloud's secure infrastructure as described in the Google infrastructure security design overview and Google security overview whitepaper. Vercel provides comprehensive Infrastructure Security and Application security protections as described in the Security and Compliance Measures overview.

Reliability

OpenEvidence strives to maintain high operational availability of our products and services.

Data Security and Privacy

User data

OpenEvidence stores and processes user data securely according to our Privacy Policy and Terms of Use.

Protected Health Information

Covered entities, as defined by the U.S. Health Insurance Portability and Accountability Act (HIPAA), may choose to transmit Protected Health Information (PHI) on OpenEvidence. We securely store, processing, and transmit PHI according to our Business Associate Agreement. We fully comply with the HIPAA Security Rule, which requires us to implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI.

Data encryption

Data is encrypted in transit and at rest. OpenEvidence uses SSL/TLS to encrypt data in transit and encrypts data at rest using industry-standard encryption algorithms, using strong encryption and authentication (TLS 1.2 with SHA256 certificate). Data is stored within our databases with AES-256. This helps ensure that none of your data can be read by anyone that is not authorized.

Code testing and assessments

OpenEvidence tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities.

  • Application vulnerability threat assessments
  • Network vulnerability threat assessments
  • Security control framework review and testing

OpenEvidence completes an external penetration test on an annual basis.

Security Policies

OpenEvidence maintains security polices, which are reviewed annually and updated regularly. These policies include:

  • Asset Management
  • Data Protection
  • Data Retention
  • Information Security
  • Incident Response
  • Risk Assessment
  • Software Development Life Cycle
  • System Access Control
  • Vendor Management
  • Vulnerability Management

OpenEvidence requires annual security training for all employees.

Vulnerability Disclosure

We take all reports of security vulnerabilities seriously and will respond to valid reports as we verify the vulnerability and develop a fix.

Vulnerabilities and security concerns related to OpenEvidence can be responsibly reported to security@openevidence.com. Please include a detailed description of your discovery with clear, concise, reproducible steps or a working proof-of-concept.

We welcome security researchers to submit reports of vulnerabilities affecting OpenEvidence.com, the OpenEvidence app, and other properties involved in the processing of user data. Please be aware that bug bounties are typically reserved for confirmed reports of vulnerabilities that are medium or higher severity and offered at the discretion of our information security team. We take into account attack scenario, exploitability, and security impact.