BrainHQ is a brain training service designed with multiple layers of protection that is distributed across a scalable, secure cloud-based infrastructure. BrainHQ users can train their brains and review their usage, progress, and performance at any time from web browsers and mobile app clients. Because user data is stored securely in the cloud, BrainHQ users can move seamlessly across locations and systems to train their brain wherever and whenever they prefer. BrainHQ is built primarily on Amazon Web Services, and employs other leading cloud service providers for specific purposes.
Posit Science has implemented and will continue to maintain appropriate technical measures and policies & procedures to protect user data as outlined below. Please note that we may update these security measures, and their description in this overview, from time to time.
Technical Measures
- Encryption: Data is protected in transit across the internet using Secure Sockets Layer (SSL)/Transport Layer Security (TLS 1.2), creating a secure tunnel protected by 256-bit Advanced Encryption Standard (AES) encryption. Data at rest is encrypted using 256-bit AES encryption. Our key management infrastructure is designed with operational, technical, and procedural security controls with very limited direct access to keys.
- Access Controls: Access to systems and data by Posit Science personnel is provided to specific people depending on their specific work responsibilities using a role-based access control system; and is logged and monitored to ensure appropriate use of that data. We use multi-factor authentication to further ensure that only authorized personnel access systems and data.
- Network Access: We maintain network security systems designed to provide multiple layers of protection. We use industry-standard protection techniques, including web application firewalls, virtual private clusters, IP white-listing, network security monitoring, and intrusion detection systems to maintain network security.
- Physical Access: Because our server infrastructure is hosted by Amazon Web Services (and other leading cloud service providers), physical access to systems hosting data is secured by a variety of techniques including 24/7 guards, video surveillance, and electronic badging.
- Availability & Reliability: The cloud services upon which BrainHQ is built are designed to be robust in the face of individual failures in computer hardware, network services, and supporting infrastructure, using automatic failover systems to continuously offer our service in the event of individual failures. BrainHQ data is continuously backed up from our primary databases to remote secondary databases to allow us to completely restart BrainHQ in the event of a physical disaster at our primary hosting facility.
Policies and Procedures
We employ a thorough set of security policies & procedures to ensure our personnel work in a way that protects the security of our data. These policies & procedures are reviewed and approved at least annually. Our personnel are notified of updates to these policies and are provided with training about how to follow these procedures.
- Personnel Training: Our internal policies require onboarding procedures that include security policy acknowledgement and training, communicating updates to security policy, and non-disclosure agreements. All personnel access to Posit Science systems is promptly removed when an employee or contractor leaves the company.
- Change Management: We ensure that security-related changes have been authorized prior to implementation into the production environments. Source code or network infrastructure changes are initiated by developers, reviewed by the security team, and implemented after successful completion of QA procedures.
- Service Providers: We evaluate and select all service providers that process BrainHQ data under our control based on their security certifications and compliance attestations, and review these qualifications on an ongoing basis.
- Corporate Office: We maintain a strict separation of data storage between our corporate office and our cloud service providers. BrainHQ data is only stored at secure cloud service providers, and not stored in our corporate office – all access to BrainHQ data is conducted by Posit Science personnel over secure internet connections to those secure cloud based service providers. Our corporate office maintains a standard set of physical access procedures, including guards, security cameras, and electronic key cards.
- IT Systems: Posit Science computers are set up with secure defaults, including full disk encryption, automatic locking after inactivity, local firewalls, and automatic security updates. IT systems in our corporate office are securely configured before deployment.
- Disaster Preparedness: We maintain a set of procedures that allow the continued operation of BrainHQ in the event of a physical disaster at either our primary hosting facility, or at our corporate office.
BrainHQ complies with the HIPAA technical safeguards, and each year, Posit Science undergoes a security audit following the SOC-2 standard to check our work and confirm that our security policies and procedures are working as designed to protect BrainHQ user data.
Posit Science operates a responsible disclosure program. If you have a security concern you would like to bring to our attention, please email us at security@brainhq.com and we’ll get back to you promptly to discuss it.