Security Commitments

Introduction

Acid Remap LLC (“Acid Remap”) strives to provide, at a minimum, industry-standard security for all of our customers throughout all of our processes.

Maintenance and uptime reporting

Minor security patches are performed on an ongoing, automatic basis by our cloud provider for the platform infrastructure. The public-facing web server runs updates every one to two weeks.

Application releases are performed as-needed, usually once or twice a month.

Any critical security updates for zero-day exploits or other highly time-sensitive updates are performed as close to immediately as possible.

Maintenance windows and overall system status are always available on the Acid Remap status page: status.acidremap.com.

Software, hardware, and remote access

Acid Remap LLC does not provide any hardware, nor do we require any remote or physical access to client locations or data centers.

Acid Remap instances are patched on a weekly basis, and manage remote access via a VPN and security groups through our cloud provider (AWS).

Vulnerability Detection and Mitigation

Acid Remap regularly scans our systems for vulnerabilities using automated tools, and has pentests performed at least annually. We promptly address any issues that are identified. We solicit security feedback and concerns from our users via our website contact.

Employees are trained to recognize and avoid phishing and social engineering attacks. These trainings are refreshed at least annually.

In the unlikely event of a data breach, Acid Remap will notify affected customers within 2-3 business days of discovery, in accordance with applicable laws and regulations. We carry cybersecurity insurance to help mitigate the impact of any such breach.

Data and encryption

  • All data on Acid Remap servers encrypted at rest using managed keys.
  • All network traffic is encrypted using a minimum of TLS 1.2.
  • Data on the end-user’s device is encrypted using default iOS and Android encryption. It is up to the client and their users to enforce good security practices for users’ devices.
  • Acid Remap only uses data centers in the United States except as otherwise specifically required by a client. Therefore, unless otherwise specified by a client, all data is stored in the United States.
  • Data is maintained for the benefit of the client for a minimum of 7 years after publication. Data can be destroyed after the expiration of this 7-year period on request. Destruction of data on a shorter time-frame is available for Enterprise-model clients.
  • Data is logically isolated between clients by Acid Remap’s code. Isolation in a separate VPC is available for Enterprise-model clients.
  • Database backups are performed continuously, and are retained for at least 30 days. Other backups of customer data are performed at least daily. All customer data backups are encrypted at rest, and access is strictly limited to a small number of senior employees. Employee workstations are backed up continuously, locally and to the cloud, and encrypted at rest. Backups are tested for integrity at least annually.

Password and account policies

Acid Remap Cloud Service Provider (CSP) Accounts

Acid Remap trains our employees to use strong, safe, and unique passwords, emphasizing the benefits of password managers. Multi-factor authentication (MFA) is required for Administrators with direct access to client data via the CSP.

Acid Remap will promptly revoke access to any terminated employees and will conduct a quarterly review to ensure that no users have been missed.

End User Accounts

End user passwords are required to pass several validators, providing a sensible balance between security/guessability and usability.

End user accounts require verification of emails via an automatically generated verification link.

HIPAA, PHI, and PCI

Acid Remap LLC is HIPAA-complaint. We can provide an AT-C 315 report and sign a Business Associate Agreement with an Enterprise-level agreement. We do not accept PHI without a Business Associate Agreement in place. We are able to sign a Business Associate Agreement to store PHI on behalf of customers at their request, and with an enterprise-level contract.

Contact with Concerns

If you have any concerns or questions about security, please email us.

Download the PPP Agency® app for iOS or Android:

Available on the App Store Get It on Google Play

Download the Paramedic Protocol Provider® app for iOS or Android:

Available on the App Store Get It on Google Play

Download the custom agency app for iOS or Android:

Available on the App Store Get It on Google Play

To download the app, redeem this unique promo code:

(No codes currently available)

Or click here to redeem the code and download the app right now »

You can [also] redeem this code in the App Store app, at the bottom of the Apps tabs.