Information Security at Binti
Binti is happy to receive questions about its information security practices, as we see the protection of our customers’ information as primary to our business. At Binti, security was integrated into our company from the very beginning and remains a primary focus today.
Security is integrated throughout the environment, from the people, to the processes, to the technology. All information gathered is transmitted and stored with secure encryption. Since we are a SaaS solution, you never have to worry that the version of your software is out of date.
Here are a few of the key areas where security is deeply ingrained into what we do everyday:
Binti regularly tests the security of its environment through a combination of automated tools and practices.
- Regular network security assessments
- Regular application security vulnerability assessments
- Static code analysis before every integration and release
- Criticality-based remediation prioritization
Binti is hosted in a Virtual Private Cloud on industry-leading Google Cloud Services, which
- Is accredited under numerous stringent compliance programs
- Features state of the art physical, network, and host-based security systems
- Permits Binti to operate with High Availability (HA)
- Does not have access to Binti’s encrypted customer data
Data Security: At-rest and In-transit
Binti data lives in a Postgres database that is fully encrypted with industry-standard AES-256 block encryption. We replicate all data in a streaming manner to a different Google Cloud availability zone have scheduled backups to three or more Google Cloud regions. The scheduled backups are subject to automated monitoring and routine testing. Postgres itself has a 20 year track record and is the official database of Cloud.gov. Binti observes a data retention policy that securely destroys sensitive data when it is no longer needed.
All communications between Binti users in their desktop or mobile browser and Binti’s server use the industry-standard HTTPS (HTTP over TLS) protocol secured by an Extended Validation (EV) certificate with an RSA-2048 key and SHA-256 signature. We enforce HTTPS at the edge and at the application level, using HTTP Strict Transport Security (HSTS).
The Human Factor
Binti staff members are required to use Multi-factor authentication (MFA) when authenticating to corporate information systems. Binti staff use only hardware and software that is certified in enterprise-grade security (including full disk encryption). Our corporate premises have been audited for physical security and feature a commercial-grade intrusion detection system.
Binti customer support staff are required to complete counter-social engineering training as well as successfully complete an industry-leading Security Awareness Training program on an annual basis.
We follow the principle of least privilege when granting our employees authorization on our corporate information systems and when granting our users authorization on our products.
Security Monitoring and Incident Response
Security events detected by the Binti SIEM are handled by the Binti Security Team and triaged based on the Binti Security Operations Plan. This process results in the determination that a given event was either solved and documented or declared an incident.
In the event that a security incident is declared, a designated trusted advisor will be brought in to assist with the investigation at that time. If any customer data were to be affected, customers (or the appropriate organizations) would be notified at the appropriate time based on local requirements.
Business Continuity and Disaster Recovery
Binti’s BC/DR plans are tested using a scenario-based approach. A list of scenarios have been created that involve the outages or unavailability of some subset of the Binti infrastructure, and the BC/DR workflows require the Binti team to restore normal operation given those conditions.
Zendesk is the third-party software Binti Customer Support utilizes to meet chat, email and phone needs of our clients. Binti maintains a Business Associate Agreement (“BAA”) with Zendesk and we utilize the “HIPAA Enabled Account” option for our Zendesk Enterprise service.
Chat is the most secure component by which to communicate.
To protect any potential PHI/PII shared in a chat encounter, unless you’ve used the chat feature to request the chat transcript, the email you receive will not include the transcript. If you wish to receive the chat transcript, please respond to the email received and our Support team will provide you with the chat transcript after having removed any PHI/PII.
For any email communication that is sent by a client to our Binti customer support staff, the latest security settings are configured via Zendesk. We cannot guarantee the security of Zendesk emails that are sent to the client's mailbox and recommend using chat if possible.
We request for any additional PHI/PII context to be set securely via a secure email mailbox only accessible to a limited number of employees.
Binti Customer Support Security Protocol
All Binti Customer Support Associates are to take all necessary measures to protect PHI/PII.
- Binti Customer Support will provide the minimum amount of personal information to meet the client’s needs.
Name+ any of the following:
- Email Address
- RFA# (or other Agency ID#)
- Binti links
Name(acceptable)+ none of the following:
- Phone #
- Date of Birth
- Direct links for password resets
- If any additional data (including attached documentation) outside of the name that could be PHI/PII is provided by the client, Binti Customer Support will not include those details in any response to the client and will do their due diligence in re-directing the client to safer practices.
- If a client emails Binti Customer Support with attached document(s) that include PHI/PII, Binti Customer Support will send a new email to the client with confirmation of the original request being met. (This measure of creating a new email will eliminate the client’s document(s) from being shared more than one time, reducing PHI/PII being transmitted.)
- Binti Customer Support staff are trained on PHI/PII and the security measures that are expected of them. In addition, the Customer Support Quality Lead monitors Customer Support staff correspondence to ensure PHI/PII information is protected.
- Binti Customer Support staff are required to complete counter-social engineering training as well as successfully complete an industry-leading Security Awareness Training program on an annual basis.
For NIST Special Publication 800-63B Authentication and Lifecycle Management, Binti complies with level AAL1. If Single Sign-On (SSO) is set up with Multi Factor Authorization, Binti complies with AAL2.
Binti requires a password to be at least 8 characters and can be up to 4096 characters. We additionally check passwords against a list of banned passwords that include the corpuses of multiple breaches, and lists of common passwords. There is a limit of 3 attempted password resets before a user's account is locked.
Feel free to contact us via phone or email with any questions regarding our password policy. We can be reached at firstname.lastname@example.org.