Privacy Policy

Who we are

Our website address is: http://censonhealth.com

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

Who we share your data with

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

ATA SECURITY POLICY IN BRIEF


CENSON focuses on security from the ground up. Our Data Center is compliant with

HIPAA
SOC 1/SSAE 16/ISAE 3402 (formerly SAS70)
SOC 2
SOC 3
PCI DSS Level 1
ISO 27001
FedRAMP(SM)
DIACAP and FISMA
ITAR
FIPS 140-2
CSA
MPAA
and features proximity security badge access and digital security video surveillance. Our server network can only be accessed via SSL VPN with public key authentication or via Two-factor Authentication over SSL. Additionally, our network can only be accessed via SSL VPN or multi-factor authentication, and all access to our web portal is secured over HTTPS using SSL 256-bit encryption. Additionally, all staff members with access to Client Data receive certification as a HIPAA Privacy Associate.

DEFINITION OF TERMS & SYSTEM USERS
Client — A customer of CENSON.

User — An individual with access to a CENSON Application.

Admin — A Client User with the capability of viewing and managing certain aspect of Client’s CENSON Account.

Member — A Client User whose account is provisioned through Client’s Web Portal. A Member cannot login or otherwise access any CENSON Application directly. All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard.

Developer — A User that can create vendor applications in CENSON for the purpose of integrating mobile health apps and/or devices.

CENSON Admin — A CENSON employee with access to managing a Client’s account.

DATA CENTER AND HARDWARE
All CENSON application and database servers are physically managed in secure data centers. Our Primary Data Center is located in Canada (Montreal) Region and our Redundant Data Center is located in US East(Illinois) Region. Our security procedures utilize industry best practices. All data center facilities are certified SSAE 16 (SOC 1) Compliant and have 24/7 physical security of data centers and Network Operations Center monitoring. Our servers feature a Hardware Firewall and receive integrated server hardening, regular full-system virus scanning and systems patching, and regular security profile reviews and upgrades.

PHYSICAL SECURITY
All servers are located in a Data Center that features proximity security badge access and digital security video surveillance. CENSON employees do not have access to physical server hardware.

DATA ACCESS AND SERVER MANAGEMENT SECURITY
CENSON has SSL and PPTP VPN as well as dedicated VLAN connections to our hosting environment. Only select CENSON employees are able to access the server network.

For details on 99.95% Availability (less than 5 minutes of downtime per year), Fire Detection and Suppression, Power, Climate and Temperature, read here

DATA STORAGE AND BACKUPS
All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard, and all data is encrypted at rest using 256-bit AES. Jade production database servers are partitioned using RAID 1 with 24-hour disk backup of all data files. Database backups use a fully disk-based solution (disk-to-disk) and full system backups, are performed daily and weekly. Daily backups are retained for a minimum of 7 days, weekly backups are retained for a minimum of 52 weeks. Backup services are provided.

DESTRUCTION OF SERVER DATA
In order to maintain system integrity, Client Data that has outlived its use is retained up to 60 days before it is destroyed. The data may remain in our backup files for up to 14 months, as it is our policy to maintain weekly backups for a minimum of 52 weeks before those backups are destroyed. De-identified activity data from Members may be stored in perpetuity for future analysis.

STORAGE DEVICE DECOMMISSIONING
Old computers and servers used to store or access client information receive a 7-pass erase that meets the U.S. Department of Defense 5220-22 M standard for erasing magnetic media. 

Paper information in the office is discarded using a document shredder or a commercial secure document shredding service.

INTRUSION DETECTION AND INCIDENT RESPONSE
Our servers run OSSEC to actively monitor for intrusions. OSSEC uses HIDS (Host-Based Intrusion Detection), log monitoring and SIEM (Security Information and Event Management).

INCIDENT RESPONSE
CENSON security administrators will be immediately and automatically notified via email if OSSEC or other implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within 1 hour.

Once an incidence is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals::

Maintain or restore business continuity
Reduce the incident impact
Determine how the attack was performed or the incident happened
Develop a plan to improve security and prevent future attacks or incidents
Keep management informed of the situation and prosecute any illegal activity
DETERMINING THE EXTENT OF AN INCIDENT
Security administrators will use forensic techniques including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel will perform interviews or examine evidence, and the authorized personnel may vary by situation.

NOTIFYING CLIENTS OF AN INCIDENT
Clients will be notified via email within one hour upon detection of any incident that compromises access to the service, compromises data, or otherwise effects users. Clients will receive a status update every 4 hours and upon incident resolution.

APPLICATION SECURITY
All data transfer and access to CENSON applications will occur only on Port 443 over an HTTPS encrypted connection with 256-bit SSL encryption.

SYSTEM UPDATES AND SECURITY PATCHES
As a hosted solution, we regularly improve our system and update security patches. No client resources are needed to perform these updates. Non-critical system updates will be installed at predetermined times (typically 6:00 a.m. Eastern on Tuesdays). Critical application updates are performed ad hoc using rolling deployment to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.

USER LOGIN AND SESSION SECURITY
Members are not able to directly login to CENSON Applications. All Member logins and sessions are authenticated via secure access tokens.

APPLICATION PASSWORD MANAGEMENT
Admin passwords must have at least 8 characters with at least one number and one letter.

CENSON Admin passwords must have at least 8 characters with at least one number and one letter, and at minimum either one capital letter and/or one special character.

DISASTER RECOVERY
The entire CENSON server stack is replicated in real time between the Primary Data Center in Canada(Montreal) Region and Recovery Data Center in US East (Illinois) Region using global load balancing and geographically diverse DNS routing. These systems are on two separate power grids, which ensures that if one location is taken offline for any reason, the other system is fully isolated and will be able to maintain operations. Recovery of the lost system is evaluated at the time of incident. If the disaster situation is likely to be resolved within 24 hours, CENSON will run solely on the reserve system until the reciprocal setup can be replicated and restored. If it is unlikely that the datacenter will be fully operational within 24 hours, we will work quickly to setup a new redundant server stack in Canada (Montreal) Region. 

CENSON conducts periodic internal audits on compliance with this policy.

Anti-spam policy

1. Introduction
1.1 In the context of electronic messaging, “spam” means [unsolicited, bulk or indiscriminate messages, typically sent for a commercial purpose].
1.2 We have a zero-tolerance spam policy.

2. Credit
2.1 This document was created using a template from Docular (https://docular.net).

3. Spam filtering
3.1 Our messaging systems automatically scan all incoming [email and other] messages and filter out messages that appear to be spam.
3.2 We may also report incoming email as spam. This can result in IP addresses and domain names being blacklisted.

4. Spam filtering issues
4.1 No message filtering system is 100% accurate, and from time to time legitimate messages will be filtered out by our systems.
4.2 If you believe that a legitimate message you have sent has been filtered out by our systems, please advise the message recipient by another means.
4.3 You can reduce the risk of a message being caught by the spam filters by:
(a) sending the message in plain text (instead of, or in addition to, HTML);
(b) removing any message attachments;
(c) avoiding the terminology and text styling typically used by spammers; and/or
(d) ensuring that your messages are scanned for malware before dispatch.

5. User spam
5.1 We provide a facility that enables users to send [email messages] OR [private messages] OR [[message type(s)]] to others.
5.2 Users must not use our messaging facility or any of our other services to store, copy, send, relay or distribute spam.
5.3 Full provisions concerning the use of our messaging facility are set out in our website terms and conditions of use.

6. Receipt of unwanted messages from us
6.1 In the unlikely event that you receive any message from us or sent using our systems that may be considered to be spam, please contact us using the details below and the matter will be investigated.  It is our policy not to use unsolicited messages for advertising our services and/or products.

7. Variation

7.1 We may amend this policy at any time by publishing a new version on our website.

8. Our details

8.1 This website is owned and operated by CENSON LLC.
8.2 Our principal place of business is at 30 N. Gould Street, Sheridan, WY 82801.
8.3 You can contact us:
(a) by post, to the postal address given above;
(b) using our website contact form
(c) by telephone, on the contact number published on our website; or
(d) by email, using the email address [email protected]