Data Security and Privacy
What is ExpiWell's Data Security and Privacy?
EXPIWELL DATA SECURITY AND PRIVACY
- ExpiWell is HIPAA compliant and partners with Vanta, a third-party platform, to ensure that ExpiWell is accountable to meet standards. Our detailed data security and privacy HIPAA information can be found here and is assessed in real-time (https://app.vanta.com/expiwell/trust/n0a7macfbr4druoawqj6pe).
- ExpiWell uses industry-best standards to protect customer data and data collected for research.
- Our servers are protected by high-end firewall systems, and scans are performed regularly to ensure that any vulnerabilities are quickly found and patched.
- ExpiWell uses Transport Layer Security (TLS) encryption, or HTTPS, for all transmitted data.
- ExpiWell data is also encrypted at rest in AWS using AES-256 key encryption.
- Our services are hosted by Amazon Web Services (AWS) which is a well-known and trusted data center that meets the requirements of security-sensitive organizations while providing data privacy.
- As further discussed in the web link (https://aws.amazon.com/compliance/data-privacy-faq/): “AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It extends ISO information security standard 27001 to cover the regulatory requirements for the protection of personally identifiable information (PII) or personal data for the public cloud computing environment and specifies implementation guidance based on ISO 27002 controls that is applicable to PII processed by public cloud service providers. For more information, or to view the AWS ISO 27018 Certification, see the AWS ISO 27018 Compliance webpage. Additionally, AWS publishes a SOC 2 Type II Privacy report, based on the SOC 2 Privacy Trust Criteria, developed by the American Institute of CPAs (AICPA), which establishes criteria for evaluating controls related to how personal data is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. The AWS SOC 2 Privacy Type II report provides third-party attestation of our systems and the suitability of the design of our privacy controls, as stated in our Privacy Notice. The scope of the privacy report includes information about how we handle the content that you upload to AWS and how it is protected in all of the services and locations that are in scope for the latest AWS SOC reports. The SOC 2 Type II Privacy report can be downloaded through AWS Artifact in the AWS Management Console.”
- ExpiWell subscribers control their users and their data. Therefore, it is important for subscribers to practice sound security practices by using strong account passwords, not storing passwords in easily accessible places, and restricting access to their accounts to authorized persons who can access data.
- ExpiWell requires that passwords are sufficiently complex (at least eight (8) or more characters, one upper case, one number).
- All passwords expire after 90 days; researchers will be required to create new passwords that are not the same as 3 previous passwords
- There is also the option to enable 2-factor authentication for user accounts to add additional security.
PII and Passive info
- ExpiWell collects sensitive information and follows industry standards to protect this data (see above). Information that may be collected include: first name, last name, date of birth, ethnicity, gender, country and state
- This information collected is for the purpose of building a Taker’s ExpiWell profile and not shared with Makers at any time.
- Submission data may also include sensitive information, but will not include profile information and both are protected under our Data Protection practices.
- ExpiWell currently collects only two forms of passive information.
- The second form of passive information includes anonymous passive app usage data for the purpose of detecting mobile issues and performance metrics.
- One form of passive information includes location or GPS (long, lat, and timezone) data. If Makers enable data location collection, Takers must first consent to allow passive GPS information to be collected. ExpiWell requests access for Taker’s phone microphone, camera (photo and video), storage, and GPS (long, lat, timezone). We do not store any device identifiers or any other passive information that would link back to the user on the app side.
- When participating in research using ExpiWell software, your privacy and data security are of utmost importance. ExpiWell is committed to maintaining compliance with both the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). This means that any personal data collected during the study is protected and handled with the highest standards of security and confidentiality. HIPAA compliance ensures that your health information is safeguarded according to U.S. regulations, while GDPR compliance guarantees that your personal data is protected according to European Union standards. ExpiWell employs strict data protection measures, including encryption and access controls, to prevent unauthorized access and ensure your information is used solely for research purposes. By participating, you consent to the use of your data under these compliance frameworks, ensuring your rights and privacy are respected throughout the research process.
Please visit https://app.expiwell.com/privacy for the full ExpiWell Privacy Policy.
Related Articles
Group Data Collection
How Does Group Data Collection Work? For experience sampling and ecological momentary assessment projects, the default is to collect data at the individual level. In other words, we care only about individual experiences. However, there are many ...
Institutional Review Board (IRB) Information
Read Our Privacy Policy Here Privacy Policy • Please visit https://app.expiwell.com/privacy for the full ExpiWell Privacy Policy. ExpiWell Data Security and Privacy information • ExpiWell uses the industry's best standards to protect customer data ...
Fitbit Integration
Enhancing your research using wearable technology Leveraging wearables such as Fitbit can provide numerous advantages in conducting ecological momentary assessments. Fitbit offers APIs that allow ExpiWell to access a wide range of data, including ...
FAQ
12 FAQ about the ExpiWell Platform These are some commonly asked questions by researchers seeking to do experience sampling or ecological momentary assessment on the ExpiWell platform. 1) I've created an account but can't log in as it says my account ...
Enabling 2FA for ExpiWell Account
Why You Should Enable 2FA for Your ExpiWell Account To ensure that accounts can have an additional layer of security, ExpiWell provides users the option of enabling 2FA. This will help add additional protection to the ecological momentary assessment ...