We are fully HIPAA compliant and our payments infrastructure is PCI Level 1 compliant\u2014your clients payment, package, and other data are safeguarded with enterprise-grade security.<\/p>\n
Exercise.com is hosted as an application in Google Cloud Platform (GCP) in the USA, Canada, the EU, the United Kingdom, and Australia. We also utilize Amazon Web Services (AWS) to serve some assets. These Google and Amazon facilities hold all major security and data privacy accreditations, including SOC1 \u2013 SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, and FIPS 140-2.<\/p>\n
The physical access to servers in the data centers are restricted to authorized Google and Amazon personnel. Exercise.com employees have no physical access to the servers. We don’t host any on-premise infrastructure and we require two-factor authentication for all employees that work with internal systems (code repositories, build systems, cloud providers, etc.). We apply the \u201cleast privilege\u201d model meaning we assign access to employees based on the absolute least access someone needs to be able to perform their duties.<\/p>\n
Exercise.com engages a 3rd-party cybersecurity company to conduct regular penetration tests, no less than annually, and to evaluate and prescribe accordance with all HIPAA compliance standards and industry security best practices.<\/p>\n
All customer data is always encrypted, in transit and at rest. We use an up to date TLS 1.x protocol for all control communications, including data transfer between components, to ensure all traffic is encrypted. For data at rest, we use AES 256-bit, one of the most secure encryption protocols.<\/p>\n
Exercise.com services are deployed using industry best practices. High availability and disaster recovery is built-in into our cloud architecture. In case of a component failure, the platform launches additional instances and redirects the load.<\/p>\n
Exercise.com’s backup policies and procedures outline the critical resources, including the databases, that are backed-up automatically to enable recovery needed to meet our SLAs. All production data is being replicated automatically to a separate infrastructure. Exercise.com backs up its data continuously.<\/p>\n
We limit the extent of data sharing with our sub-processors to the degree that is minimally necessary to provide our service and make sure that all the technology providers that we use:<\/p>\n
We encrypt (see Encryption & Access Control) all customer data stored in our infrastructure providers’ (GCP and AWS) data centers in transit and at rest. We share only limited information with Stripe, necessary to manage subscriptions, invoice and process payments (including customers’ billing addresses, contact details and bank account details). We use customer relations management software, HubSpot, Salesforce, and Salesloft, to automate the communication with customers and to store customer contacts in their systems.<\/p>\n