Passportal Security Standards
Data Encryption and the Organization Key (formally Key)
Each password stored by Passportal within Passportal is AES-256 encrypted a minimum of 300 times using 6 different SHA-256 hash keys on a randomized basis for each round of encryption. Two of the hash keys used are unique to each password record, and one of the hash keys is not generated by or stored within our system.
When a company registers any account with Passportal, they are required to choose an Organization Key which stands as a remote encryption key that lives outside of Passportal. This means that your password data is never stored at rest with or near all the keys required to decrypt it. The Organization Key is organization-wide and is the encryption key for your stored passwords. Passportal does not store or cache the Organization Key anywhere in our system, so it is vital that at least one member of your organization has stored this and is able to give it to users that forget. To reset the Organization Key means all passwords will become irretrievable and the account will need to be reset. The Organization Key is designed to ensure that there is a separate and additional level of security that protects your organization from unauthorized access to any data at Passportal.
All inbound and outbound data communication traffic with the Passportal Cloud happens over TLS 1.2 using 2048-bit SHA256 SSL certificates to ensure the protection of your data in transit.
Passportal services are hosted on Amazon Web Services which proudly boasts some of the highest security classifications and compliance certifications. Our system has been architected with redundancy, resilience, and security at every point from gateways and web services to database clusters and automation servers.
Further, in the US Passportal is designed, architected and resides in multiple AWS facilities that provide for both replication of secured data, ensuring maximum uptime and security should a failure in a single environment occur. The Passportal Cloud guarantees 99.99% uptime so that your data is available when you need it.
Amazon S3 Storage Security
Some documents, Runbooks in particular, are stored in a semi-public S3 bucket. In order to prevent unauthorized access to a company's runbook containing potentially sensitive information, we apply the following measures:
Directory traversal and viewing on the S3 bucket is disabled - a user must have the exact file name to access anything in the bucket, and there is no way to get a list of potential file names
All file names are generating as a hex encoded sequence of 36 random bytes, resulting in a 72 character file name. Since the exact sequence must be guessed to gain access to a file, this provides equivalent protection as a 288-bit password against brute force attacks
Because there is no lockout mechanism, we use an expiration policy of 3 days for data stored on the S3 bucket
Passportal and BAA requirements for HIPAA compliance
The Health Insurance Portability and Accountability Act is a legislation that provides data privacy and security provisions for safeguarding electronic Protected Health Information (ePHl). ePHl is patient health information which is computer based. The data stored within Passportal includes system configuration notes, URLs, and login credentials to various systems and applications - some of which may be systems or applications which store or manage ePHl. While the login credentials stored in Passportal may be those which grant access to systems containing ePHl, the login or password data itself is not considered ePHl. This results in the first reason why there is no need for Passportal to sign a BAA.
The access information to ePHl which includes URLs or remote server addresses and login credentials that can be accessed, known, or otherwise used by any individuals or organizations would inherently require those individuals or organizations to sign a BAA in agreement to cooperate in safeguarding the ePHl they have access to. With this in mind, Passportal's data encryption technology which leverages hundreds of rounds of AES-256 encryption via six unique SHA-256 Hash keys used on a random algorithmic basis for each login credential stored, guarantees that no member of the Passportal organization can ever access, see, or know the decrypted format of that data. One of the six keys used in the encryption technology briefly described is never generated, stored, or known by Passportal. This unknown encryption key is the Organization Key your company chooses upon registering an account with Passportal. The involvement of the Organization Key in our encryption technology makes it impossible for members of the Passportal team to completely decrypt any password data within our platform. This results in a secondary reason why there is no need for Passportal to sign a BAA.
In conclusion, since there is no ePHl data stored within Passportal and no employee, contractor, consultant, or representative of Passportal can access the login credentials stored within Passportal, the company is precluded from any requirement to sign a BAA to meet and maintain yours and your clients' HIPAA compliance.
Security, Data, and Privacy Policies
You can find this information here: https://www.solarwindsmsp.com/legal/privacy