Data Policy

TERMS AND POLICIES: DATA

Ensuring the confidentiality, integrity, and availability of private patient data is of the utmost importance to Curve— as is maintaining the trust of our customers. We closely follow privacy regulations, including HIPAA, which require that electronic private health information be transmitted and stored with the utmost security and care. Our data center maintains Sarbanes Oxley (SOX) compliance and attains the highest certifications such as recurring Statement on Standards for Attestation Engagements No. 16 (SSAE 16): Service Organizations Control 2 (SOC 2) compliance and is also an ISO 27001 certified Information Security Management System (ISMS). ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing customer information based on periodic risk assessments. We treat your data with great respect to ensure that it is safe and secure at all times.

Your data is kept physically safe in data centers housed in nondescript facilities, with extensive setback and military grade perimeter controls and access protection. Professional security with video surveillance, state of the art intrusion detection systems, and other electronic means strictly control all physical access. Authorized staff must pass two-factor authentication no fewer than three times to even access these facilities; all visitors and contractors are required to present identification and are signed in and continually escorted by authorized data center security staff. Furthermore, all physical and electronic access to data centers is logged and audited routinely.

Our web servers and data servers are protected from the internet at large by cryptographically strong authentication keys plus both software and hardware firewalls. Internet traffic to and from our servers is restricted by protocol, by service port, as well as by source internet address (Individual IP or CIDR block). Standard “denial of service” mitigation techniques such as syn cookies and connection limiting are used to prevent outside attacks. Most importantly, your practice data is further secured, encrypted, and isolated on our servers in its own database.

The Hosted Programs are web applications that make use of features available in browsers and inherent to the way the internet is built in order to improve the experience for the Client as well as provide some types of functionality. One of those features is the ability for the browser to cache data (i.e. store data locally on the device that the browser is running on) to improve performance and to allow Client to access some types of data if an internet connection is not available. Most of this data is of a technical nature (e.g. the computer code the Hosted Programs run in order to function as intended) and a small amount of it may, in some circumstances, contain protected health information (PHI).

Clients should understand that the Hosted Programs cannot provide security for any data stored in the Client’s cache. Clients should be well versed with any and all applicable regulations that apply to them including but not limited to the HIPAA Security Rules, as applicable, to make sure that appropriate security measures in compliance with such regulations have been implemented on any computers or devices that are used to access the Hosted Programs.

All dental practice data is sent to our clustered web servers, which are located in different availability zones, through trusted 256-bit SSL encryption (the same encryption used for online banking). Each availability zone is in a distinct location, engineered to be insulated from any failure in any other availability zone. This means that if one of our servers (or an entire zone) ever fails, we can provide redundancy and ensure up-time. Distributing data across these zones in this manner helps us maintain hosted availability.

Your practice database is also replicated on multiple database servers in multiple availability zones to avoid a single point of failure and provide high availability. We also take frequent ‘snapshots’ of your database and archive it in encrypted files on a separate storage network. Archived data is also redundantly stored in multiple physical locations. So if our data servers ever did fail, we will still have a very recent copy of your data, regardless of hardware failures, natural disasters or any other cause of failure.

In addition, we ensure that all of our software and security is kept up to date with regular patches, maintenance and upgrades as necessary (so you don’t have to!). We protect your data from computer viruses, hackers, or other IT dangers.
Should you ever require a copy of your data for whatever reason, you can download it at any time, right through our application. Your data will be exported in a friendly, compatible and readable way that is compatible with common business software such as Microsoft Excel.