Policies, Terms and Security
      Back to home
      1. Help Center
      2. Policies, Terms and Security

      Security Overview

      We take the protection of your data very seriously.  Our team has been building enterprise software for 25 years and commercial cloud software since 2006, including cloud software to the healthcare market since 2008.  We will work hard every day to build and maintain your trust. 

      As part of Microsoft Azure’s Enterprise-scale Production Landing Zone architecture, we take advantage of full redundancy for all major systems. 

      Our systems are engineered to stay up and/or recover even if multiple servers fail. 

      myCaribou is deployed onto a dedicated, Enterprise-scale Production Landing Zone on Microsoft’s Azure Cloud Infrastructure, using the Enterprise Cloud Adoption Framework. 

      myCaribou’s primary production data center is in Canada (Canada Central). 

      Your data is ALL encrypted at rest 

      Our application databases are encrypted at rest.  Any files which you upload to myCaribou are stored and are encrypted at rest. 

      Azure Database 

      • The Azure (PostgreSQL) Database service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, are encrypted on disk, including the temporary files created while running queries. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled. 
      Azure Storage 
      • Data in Azure (Blob) Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.  

      Azure Managed Disks (VMs) 

      • myCaribou’s Azure managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) to protect your data and to help you meet your organizational security and compliance commitments. Azure Storage encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud.  
      • Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.  

      All data is backed up regularly and securely   

      Transaction logs are stored every hour and full backups are taken daily, encrypted, and stored in a separate physical location.   

      Your data in transit is encrypted 

      Whenever data is being transferred between components, locations, or programs, it’s in transit. Examples are transfer over the network, across a service bus (from on-premises to cloud and vice-versa, including hybrid connections such as ExpressRoute), or during an input/output process. 

      TLS encryption in Azure 

      • myCaribou implements Transport Layer Security (TLS) protocol to protect data when it’s traveling between the cloud services and customers. Our datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS 1.2 is enforced and provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use. 
      • Perfect Forward Secrecy (PFS) protects connections between customers’ client systems and myCaribou (Azure) cloud services by unique keys. Connections also use RSA-based 2,048-bit encryption key lengths. This combination makes it difficult for someone to intercept and access data that is in transit. 

      SSL/TLS Certificates 

      • Secure Sockets Layer (SSL), also known as Transport Layer Security (TLS), has become a standard for securing Internet connections and is used to prevent eavesdropping on the network. The SSL/TLS protocol allows a client and server to authenticate each other and negotiate encryption algorithms. 
      • SSL uses an encryption key and an encryption algorithm to secure the HTTP connection. The encryption keys are contained in SSL certificates used by both the client and the server. The certificate is typically an X.509 (RFC 2459) document. The server provides the SSL certificate for the session and sends the certificate to the client in the handshake phase. The client sends its certificate to the server only if the server sends a request to the client for a certificate. Thus, the client always authenticates the server, but the server has the option whether or not to authenticate the client. 

      Key management with Key Vault 

        • Without proper protection and management of the keys, encryption is rendered useless. Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services such as myCaribou. Permissions to access keys can be assigned to services or to users through Azure Active Directory accounts. 

        Sophisticated physical security 

        Our state-of-the-art infrastructure within Microsoft Azure data centers is protected by world-class physical security.  Biometric locks and round-the-clock interior and exterior surveillance monitoring is just the beginning. Only authorized Microsoft personnel have access to data centers. 24/7/365 onsite staff provides additional protection against unauthorized entry and security breaches. 

        Regularly updated infrastructure 

        myCaribou’s software infrastructure (all within Microsoft Azure) is updated constantly with the latest security patches. Our products run on a dedicated Azure infrastructure which is locked down with firewalls, load balancing and continuously monitored.  

        Constant monitoring 

        We have a team committed to maintaining our infrastructure in addition to sophisticated, automated monitoring tools set up to alert us to any nefarious or questionable activity against our domains. We retain activity, log analytics and related monitoring data for 365 days. 

        Caribou team access control (restricted) and organizational security 

        All myCaribou employees and contractors sign confidentiality agreements before gaining access to myCaribou platform resources. We limit and audit internal production infrastructure access and require MFA (multi-factor authentication) for any access to the production data or resources, and only by a limited production infrastructure group.  We log all access by and to all accounts and platform resources. 

        Platform Status 

        Our platform status page will also provide information around platform updates, service status, outages, or other related activities.  Our status page can be found here: http://support.cariboumed.com/status.

        In the unfortunate circumstances someone malicious does successfully mount an attack, we will immediately notify all affected customers. 

        Data protection and privacy 

        Our privacy policy is available at https://support.cariboumed.com/privacy-policy/.

         

        Want to know more?  Have a concern? Need to report an incident? 

        Please contact our customer care team who will be happy to facilitate answers for you.