EXPIWELL DATA SECURITY AND PRIVACY

• ExpiWell is HIPAA compliant and partners with Vanta, a third-party platform, to ensure that ExpiWell is accountable for meeting standards. Our detailed data security and privacy HIPAA information can be found here and is assessed in real-time (https://app.vanta.com/expiwell/trust/n0a7macfbr4druoawqj6pe).
• ExpiWell uses industry-best standards to protect customer data and data collected for research.
• ExpiWell's servers are hosted on AWS servers in the United States, specifically in the US East (N. Virginia) region. High-end firewall systems protect our servers, and scans are performed regularly to ensure any vulnerabilities are quickly found and patched. 
• ExpiWell uses Transport Layer Security (TLS) encryption, or HTTPS, for all transmitted data.
• ExpiWell data is also encrypted at rest in AWS using AES-256 key encryption.
• Our services are hosted by Amazon Web Services (AWS), a well-known and trusted data center that meets the requirements of security-sensitive organizations while providing data privacy.
  • As further discussed in the web link (https://aws.amazon.com/compliance/data-privacy-faq/): “AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It extends ISO information security standard 27001 to cover the regulatory requirements for the protection of personally identifiable information (PII) or personal data for the public cloud computing environment and specifies implementation guidance based on ISO 27002 controls that is applicable to PII processed by public cloud service providers. For more information, or to view the AWS ISO 27018 Certification, see the AWS ISO 27018 Compliance webpage. Additionally, AWS publishes a SOC 2 Type II Privacy report, based on the SOC 2 Privacy Trust Criteria, developed by the American Institute of CPAs (AICPA), which establishes criteria for evaluating controls related to how personal data is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. The AWS SOC 2 Privacy Type II report provides third-party attestation of our systems and the suitability of the design of our privacy controls, as stated in our Privacy Notice. The scope of the privacy report includes information about how we handle the content that you upload to AWS and how it is protected in all of the services and locations that are in scope for the latest AWS SOC reports. The SOC 2 Type II Privacy report can be downloaded through AWS Artifact in the AWS Management Console.”
• ExpiWell subscribers control their users and their data. Therefore, it is important for subscribers to practice sound security practices by using strong account passwords, not storing passwords in easily accessible places, and restricting access to their accounts to authorized persons who can access data.
  • ExpiWell requires that passwords are sufficiently complex (at least eight (8) or more characters, one upper case, one number).
  • All passwords expire after 90 days; researchers will be required to create new passwords that are not the same as three previous passwords
  • There is also the option to enable 2-factor authentication for user accounts to add additional security.
    

PII and Passive info

1. ExpiWell collects sensitive information and follows industry standards to protect this data (see above). Information that may be collected include: first name, last name, date of birth, ethnicity, gender, country, and state.
2. This information collected is for the purpose of building a Taker’s ExpiWell profile and is not shared with Makers at any time.
3. Submission data may also include sensitive information, but will not include profile information and both are protected under our Data Protection practices.
4. ExpiWell currently collects only two forms of passive information.
5. The second form of passive information includes anonymous passive app usage data for the purpose of detecting mobile issues and performance metrics. 
6. One form of passive information includes location or GPS (long, lat, and timezone) data. If Makers enable data location collection, Takers must first consent to allow passive GPS information to be collected. ExpiWell requests access for Taker’s phone microphone, camera (photo and video), storage, and GPS (long, lat, timezone). We do not store any device identifiers or any other passive information that would link back to the user on the app side.
   

Please visit https://app.expiwell.com/privacy for the full ExpiWell Privacy Policy.