Security Compliance
Regulatory Compliance
SMYLS complies with applicable legal and regulatory requirements as well as best practices. This includes SMYLS's compliance with all Canadian Privacy laws, GDPR, HIPAA, and Standard Codes of Practice across multiple health professions.
PCI compliant
SMYLS never stores or processes credit card information, we are PCI compliant. Actually processing of credits cards completed by our third party credit processing partner, which are all PCI compliant.
Dedicated Team
We have a dedicated Security and Privacy Team that regularly reviews our policies, updates training and ensures that SMYLS is one of the top health companies to secure data.
Security Culture
At SMYLS, we implement regular security training. The training that we provide is developed by our very own Security and Privacy Team, which covers our information security policies, security best practices, and privacy principles.
Confidentiality
SMYLS employees sign a confidentiality agreement upon hire. We also have a strict policy that we only access your account when you request assistance from us.
Recovery Plan
SMYLS maintains a Disaster Recovery Plan, which is regularly reviewed and updated by our Security and Privacy Team.
Incident Response Program
SMYLS maintains an incident response program that defines the conditions and procedures we have in place to assess any relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events.
Privacy Breach Policy
We follow the BC Privacy Commissioner's 4 Step Privacy Breach Response Protocol. The documentation can be found here: Privacy Breach Policy.
Security FAQ
Where is SMYLS Data Stored?
SMYLS proudly stores all data is in Canada, on secure, best in class cloud infrastructure.
How is SMYLS Data Secured?
SMYLS Data is encrypted using 128-bit encryption when sent between your device and our servers, and stored with 256-bit encryption (in the same way as your banking information would be).
How is SMYLS Data Accessed?
Administrators, Doctors, Nurses, and staff each access SMYLS using their own account secured by a username and password, and may additional make use of the 2-Step Verification feature. Account Owners can control access permissions for each user.
How is SMYLS Data Backed-up?
SMYLS backs up customer data daily, to data servers independent of our application servers, in independent locations. All backup data is encrypted at rest.
Data Retention and Storage
SMYLS will store data for as long as the clinic holds an active subscription, and the clinic can choose when to delete data that is no longer needed. A cancelled subscription means that the account and any Subscriber Data associated with the account is no longer available for everyday use. Transactional and client data can be exported for your own independent backups.
Who owns SMYLS Data?
Personal information we collect from Account Owners and our customers to open and maintain their SMYLS account (i.e. clinic name, billing information, contact information) is handled in the ways laid out in our Privacy Notice.
Personal data that our customers collect about their clients (i.e. names, demographics, billing information, etc.) is fully owned by the customer. Essentially, SMYLS acts as an agent that stores data on behalf of our customers, but we don’t control or own that data. The Account Owner / Subscriber of a SMYLS account retains ownership of all patient data.
Will my data be deleted if I cancel my SMYLS account?
If you cancel your SMYLS subscription, you will not have day-to-day access to your data, but your data will remain securely stored on our servers for a period of up to 2 years if you ever need to reactivate the account. At this time, SMYLS does not delete data after a subscription has been cancelled — however, we can’t commit to storing the data of a cancelled account forever. We highly recommend exporting your Data before cancelling your SMYLS account so you can keep a copy for your records.
Still Have Questions?
Have any questions about this guide or anything else related to security? Feel free to email Privacy and Security Support at privacy@smyls.ca and we’d love to clarify anything you’re unsure on!
Security Features
Privacy Policy and Terms & Conditions
When you open an account with SMYLS, you agree to our Privacy Policy and Terms & Conditions. These documents represent our agreement with you on how SMYLS will properly handle the information for which you are the custodian.
Encryption & Secure Data Transfer
Anytime you transfer data from your computer to SMYLS, the information is encrypted with the same level of security as your bank uses to transfer information. Read more here: Security FAQ.
Zero Credit Card Data in SMYLS
SMYLS never stores a client’s plain credit card information directly on SMYLS servers. When you enter a credit card in SMYLS, SMYLS instantly transfers that data to one of our Canadian payment processing partners through encrypted transfer. Our PCI-compliant payment processing partners store that information for SMYLS. The default behaviour of these partners is to store the credit card information so that refunds can be processed, and to manage subscriptions.
Our payment processing partners have been very carefully chosen, and they employ AES-256 encryption for all sensitive merchant and cardholder data, such as name, card numbers, expiry dates and cardholder address in order to meet PCI compliance. We do not store CVV, PIN, EMV, or mag data. Our partners safeguard data in transit with TLSv1.2 and strong cyphers, excluding outdated SSLv3, TLSv1.0, and TLSv1.1 from our systems. This ensures that data is encrypted in transit and maintains integrity. In addition all payment partners are Level 1 PCI-DSS compliant service provider, by undergoing rigorous on-site audits, vulnerability scanning, penetration testing, and adherence to NIST security practices, all aimed at ensuring the highest level of data security compliance with the Payment Card Industry Data Security Standard.
Account Owner Control
Account owners can control access permissions for each user, as well as terminate access at will.
Unique User ID & Password Required
Administrators, Doctor, and staff each access SMYLS using their own account secured by a unique User ID and Password. In addition, you may use 2FA (2-factor authentication) for an additional layer of security.
Sign-in after Inactivity (Auto Log-Out)
To further protect patient information on a computer that may be accessed by multiple staff members, SMYLS provides the option to ask for a password after an account has been inactive for some time (between 10 minutes to 4 hours).
Limited Deleting of Patients
To avoid irreparable mistakes with data, SMYLS does not allow deleting clients for whom you have created transactions for. You will only be able to delete a client if they have no transactions attached to their name.
Still Have Questions?
Have any questions about this guide or anything else related to security? Feel free to email Privacy and Security Support at privacy@smyls.ca and we’d love to clarify anything you’re unsure on!
Data Hosting
Microsoft Azure
SMYLS physical infrastructure is hosted and managed within Microsoft Azure secure data centres. We utilize their built-in security, privacy, and redundancy features, including AWS's ability to perform regular backups. Azure complies with leading security policies and frameworks, including ISO 27001, SOC 1 and SOC 2.
Resiliency
Hosting on Azure allows SMYLS to remain resilient, even if one location goes down. Azure spans across multiple data centres within a particular region (called availability zones), which allows SMYLS servers to remain resilient in the event of a failure, including natural disasters or system failures.
Defense In Depth
We've enabled Azure’s security features like intrusion protection system and Web Application Firewall.
Encrypting Data
Data that passes through SMYLS is encrypted, both at transit and at rest. We also encrypt all volumes where customer data is stored, and we also individually encrypt all backups. Data in transit is encrypted using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM and at rest using AES 256 encryption.
Datacenter Security
Azure follows industry best practices and has strict physical access policies for the data centre building.
Continuous Monitoring
SMYLS has continuous and automated monitoring and vulnerability scanning on the Azure infrastructure so that we are proactive and have a complete awareness of any potential vulnerabilities, incidents, and threats.
Customer Backups
SMYLS backs up customer data daily, to data servers independent of our application servers, in independent locations. All backup data is encrypted at rest and transit.
Application Security
Account Ownership
As per terms of use, all SMYLS data is owned by the Account Owner. In addition, the Account Owner controls and configures all staff permissions and access levels.
Account Security
SMYLS secures your credentials by using leading industry standards to salt and hash your credentials before it is stored. We also have additional documentation on our security features found here: Security Features
Data Protection
SMYLS will continue to secure and protect your data so long as you have a SMYLS account and unless instructed otherwise by the Account Owner. If the Account Owner decides to close their SMYLS account, they can export your data, or we will export the data free of charge.
Development Lifecycle
SMYLS developers follow a strict policy to ensure that SMYLS features and updates are secure by design, in development, and after deployment. SMYLS releases weekly (or sometimes more) updates that are heavily tested by our QA Team before deployment. All updates do not require downtime.