1. We must comply with HIPAA. Would SaneBox enter into a Business Associate Agreement (BAA)?
We would absolutely enter into a BAA.
2. What controls are in place to prevent or detect a user’s credentials from being accessed by an employee at SaneBox?
The network associated with the machines with those credentials is not directly accessible from the Internet. The bastion host to access that network is protected by individual account credentials. That bastion host in turn is remotely accessible only via an authenticated VPN connection. The production machines that house that data are protected by their own credentials. The credentials themselves are secured by an industry standard encryption system. All encryption keys are protected and isolated by a secure credential store system. Only select senior engineering staff have access to the necessary corporate credentials.
3. What controls are in place to prevent or detect a change in configuration from pulling only headers to pulling full body of emails?
All access to and console commands on production machines is logged and the log is reviewed daily. All software changes to our base system is reviewed and tested by members of senior engineering staff.
4. What criteria would define a data breach at SaneBox?
Our intrusion detection system and access logs would alert us of an attempt. But, a data breach would require both a network breach and a breach of our secure credential store system.
5. What requirements does SaneBox have to notify users of its service of a data breach?
Once any system breach was detected by our intrusion detection system or by our daily review of access logs, we would take steps to review if any machine with customer data was accessed. Once we have identified that a breach of customer data happened we would notify all affected customers.
Have further questions?