Paramedic Protocol Provider®

Security Commitments

Introduction

Acid Remap LLC (“Acid Remap”) strives to provide, at a minimum, industry-standard security for all of our customers throughout all of our processes.

Maintenance and uptime reporting

Minor security patches are performed on an ongoing, automatic basis by our cloud provider for the platform infrastructure. The public-facing web server runs updates every one to two weeks.

Application releases are performed as-needed, usually once or twice a month.

Any critical security updates for zero-day exploits or other highly time-sensitive updates are performed as close to immediately as possible.

Maintenance windows and overall system status are always available on the Acid Remap status page: status.acidremap.com.

Software, hardware, and remote access

Acid Remap LLC does not provide any hardware, nor do we require any remote or physical access to client locations or data centers.

Acid Remap instances are patched on a weekly basis, with the exception of our bastion hosts which are patched immediately on boot and terminated when not actively in use.

Data and encryption

• All data on Acid Remap servers encrypted at rest using managed keys.
• All network traffic is encrypted using a minimum of TLS 1.2.
• Data on the end-user’s device is encrypted using default iOS and Android encryption. It is up to the client and their users to enforce good security practices for users’ devices.
• Acid Remap only uses data centers in the United States except as otherwise specifically required by a client. Therefore, unless otherwise specified by a client, all data is stored in the United States.
• Data is maintained for the benefit of the client for a minimum of 7 years after publication. Data can be destroyed after the expiration of this 7-year period on request. Destruction of data on a shorter time-frame is available for Enterprise-model clients.
• Data is logically isolated between clients by Acid Remap’s code. Isolation in a separate VPC is available for Enterprise-model clients.

Password and account policies

Acid Remap Cloud Service Provider (CSP) Accounts

Acid Remap trains our employees to use strong, safe, and unique passwords, emphasizing the benefits of password managers. Multi-factor authentication (MFA) is required for Administrators with direct access to client data via the CSP.

Acid Remap will promptly revoke access to any terminated employees and will conduct a quarterly review to ensure that no users have been missed.

End User Accounts

End user passwords are required to pass several validators, providing a sensible balance between security/guessability and usability.

End user accounts require verification of emails via an automatically generated verification link.

HIPAA, PHI, and PCI

Acid Remap does not store or accept PHI or PCI. We are not HIPAA compliant at this time and cannot sign a Business Associate Agreement.