Data Security Policy

At Vitalacy, it is our priority that our users entrust us with their data and expect the highest levels of security.  


Our data is meant to provide its clients with the information needed to help create a safe environment for both healthcare professionals and their patients. The end user is free to choose whether they want their personal data identifiable or for it to remain anonymous. Any user information in our system is present with the knowledge of the user. This user information is only restricted to the user’s name.  


We take our users’ security and privacy concerns extremely seriously and strive to ensure that user data is kept secure. This Security Statement aims to create transparency of our security infrastructure and practices in order to help reassure you that your data is appropriately protected. 



1.0 Application and User Security


  • SSL/TLS Encryption  

    • Clients have the option to opt. for an SSL/TLS certificate. This protects communications by using both server authentication and data encryption and ensures that user data in transit is safe, secure, and available only to intended recipients.  

  • User Authentication 

    • User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. We issue a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user. 

  • User Passwords 

    • User application passwords have minimum complexity requirements. Passwords are individually salted and hashed.  

  • Data Encryption 

    • Certain sensitive user data and account passwords, is stored in encrypted format.  

  • Privacy:  

    • We have a comprehensive privacy policy that provides a very transparent view of how we handle your data.  

  • Third Party Security Certification 

    • Vulnerability Scans & Penetration Testing are performed by a Certified Third Parties at specific intervals to certify the security of our application platform. 



2.0 Physical Security


  • Data Centers 

    • Our information systems infrastructure (servers, networking equipment, etc.) is hosted on AWS (Amazon Web Services). AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are signed in and continually escorted by authorized staff. 

    • AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely. 

  • Assurance 

    • Additionally our provider meets the following Assurances Programs. PCI DSS Level 1, SOC 1/ISAE 3402, SOC 2. SOC 3, ISO 9001, IRAP, CJIS, CSA, FERPA, HIPAA, FedRAMP, DoD CSM Levels 1-2, 3-5, DIACAP and FISMA, ISO27001, MTCS Tier 3, ITAR, MPAA, G-Cloud, and Section 508/VPAT.  

  • Location:  

    • All user data is stored on servers located in the United States.  


3.0 Network Security


  • Secure Network Architecture: Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic. ACL policies are approved by Amazon Information Security. These policies are automatically pushed.

  • Uptime: Continuous uptime monitoring, with immediate escalation to our Network Operations Team for any downtime.

  • Testing: System functionality, security and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.

  • Firewall: Firewall restricts access to all ports except 80 (http) and 443 (https).

  • Patching: Latest security patches are applied to all operating systems, Database engines, and application files to mitigate newly discovered vulnerabilities.

  • Access Control: Secure VPN and role-based access is enforced for systems management by authorized staff.

  • Logging and Auditing: Central logging systems capture and archive all systems.

  • Corporate Segregation: Logically, the production network is separated from the Corporate Network. All authorized users connect to the production environment via a private key


4.0 Storage Security


  • Backup Frequency: We backup several times a day to a centralized backup system for storage in multiple geographically disparate sites.

  • Production Redundancy: Data stored in Amazon EBS (Elastic Block Storage) and striped across multiple Amazon EBS volumes. Organizational & Administrative Security

  • Employee Screening: We perform background screening on all employees.

  • Training: We provide security and technology use training for employees.

  • Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they deal with any user data.

  • Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.

  • Audit Logging: We maintain and monitor audit logs on our services and systems.

  • Information Security Policies: We employ a Certified Information Systems Security Professional to maintain our internal/external information security policies, including incident response plans, and regularly review and update them.


5.0 Data Security


  • The data collected by Vitalacy devices does not include any patient data whatsoever.

  • We collect information on location, assets, provide data on user, unit, and department basis.

  • Data Collection:

    • Wristband location events and timestamps

    • Wristband hand wash events and timestamps

    • Location beacon battery levels

    • Dispenser sensor battery levels

    • Dispenser sensor activation counter

  • Data Analytics and Processing:

    • User compliance data

    • Group compliance data

    • Dispenser activity by location

    • Device maintenance reports – showing devices that need attention

  • All data can be requested to be anonymous to the client/institution and only available to the end-user.



6.0 Software Development Practices


  • Coding Practices: Our engineers use best practices and industry-standard secure coding guidelines to ensure secure coding. Our code is tested for security vulnerabilities in staging before being pushed into production.

  • Handling of Security Breaches: Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if we learn of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.


Your Responsibilities: Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any data you download to your own computer away from prying eyes.


7.0 Data Retention Policy

  • We seek to ensure the retention of only data necessary to effectively conduct and provide our services. The need to retain data varies widely with the type of data and the purpose for which it was collected. We strive to ensure that data is only retained for the period necessary to fulfill the purpose for which it was collected and is fully deleted when no longer required.  ​

  • Scope 

    • This policy applies to raw and aggregated data gathered by the Vitalacy Platform. 

  • Retention Period  

    • Unless otherwise requested by our clients, Vitalacy data is removed for our system periodically and only aggregated data backups are collected and stored. Data collected by our platform will be held for a period of no more than one year. Data destruction ensures that we manage the data we control and process in an efficient and responsible manner.  

  • Any exceptions to this data retention policy must be approved by Vitalacy’s data protection officer.  

Questions regarding this statement may be sent to