What is ExpiWell's Data Security and Privacy? 

• ExpiWell is HIPAA compliant and partners with Vanta, a third-party platform, to ensure that ExpiWell is accountable to meet standards. Our detailed data security and privacy HIPAA information can be found here and is assessed in real-time (https://app.vanta.com/expiwell/trust/n0a7macfbr4druoawqj6pe).
• ExpiWell uses industry-best standards to protect customer data and data collected for research.
  
• Our servers are protected by high-end firewall systems, and scans are performed regularly to ensure that any vulnerabilities are quickly found and patched. 
  
• ExpiWell uses Transport Layer Security (TLS) encryption, or HTTPS, for all transmitted data.
  
• ExpiWell data is also encrypted at rest in AWS using AES-256 key encryption.
• Our services are hosted by Amazon Web Services (AWS) which is a well-known and trusted data center that meets the requirements of security-sensitive organizations while providing data privacy.
  
  • As further discussed in the web link (https://aws.amazon.com/compliance/data-privacy-faq/): “AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It extends ISO information security standard 27001 to cover the regulatory requirements for the protection of personally identifiable information (PII) or personal data for the public cloud computing environment and specifies implementation guidance based on ISO 27002 controls that is applicable to PII processed by public cloud service providers. For more information, or to view the AWS ISO 27018 Certification, see the AWS ISO 27018 Compliance webpage. Additionally, AWS publishes a SOC 2 Type II Privacy report, based on the SOC 2 Privacy Trust Criteria, developed by the American Institute of CPAs (AICPA), which establishes criteria for evaluating controls related to how personal data is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. The AWS SOC 2 Privacy Type II report provides third-party attestation of our systems and the suitability of the design of our privacy controls, as stated in our Privacy Notice. The scope of the privacy report includes information about how we handle the content that you upload to AWS and how it is protected in all of the services and locations that are in scope for the latest AWS SOC reports. The SOC 2 Type II Privacy report can be downloaded through AWS Artifact in the AWS Management Console.”
• ExpiWell subscribers control their users and their data. Therefore, it is important for subscribers to practice sound security practices by using strong account passwords, not storing passwords in easily accessible places, and restricting access to their accounts to authorized persons who can access data.
• ExpiWell requires that passwords are sufficiently complex (at least eight (8) or more characters, one upper case, one number).
  
• All passwords expire after 90 days; researchers will be required to create new passwords that are not the same as 3 previous passwords
  
• There is also the option to enable 2-factor authentication for user accounts to add additional security.