Security Statement Minddistrict
Security matters a lot, especially in digital health care
Minddistrict is a leader in ehealth solutions. Thousands of institutes and care-providers have entrusted Minddistrict with data in our e-health platforms and make use of our services. Because many of our customers provide medical care, we take our customers and their clients security and privacy concerns very seriously.
- Authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. Minddistrict issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
- Passwords: User application passwords have minimum complexity requirements and such as use of a minimum number of characters (12) and special characters. Passwords are stored encrypted.
- Single Sign-On: For certain customers Minddistrict supports access-control to solutions of Minddistrict for their organisation.
- Data Portability and Preservation: Minddistrict enables customers to export your data from our system, following a procedure to prevent misuse or unauthorised distribution. Also we store data or use it with other applications.
- Data Residency: All Minddistrict user data, is stored on servers located in secure databases in the European European Economic Community (EEC). The EEC requires a very high level of privacy. For customers in the United Kingdom all personal data of clients is stored on a separate location in the United Kingdom. Only certain production servers contain personal data of end- users, whereas development servers do not contain personal data. We store our office data and the corporate website of Minddistrict on a separate (physical and logical) location, apart from our production environment.
The Minddistrict solutions and production environment are stored in heavily secured data centers. These data centers include all the necessary physical security controls you would expect in a data center these days (24×7 monitoring, cameras, visitor logs, entry requirements). Our hosting party has certifications for ISO 27001:2013, ISAE 3402 Type II, NEN 7510 and ISO 14001. For more information, visit Intermax.
- Testing & development: System functionality and design changes are verified in an separate test environment and subject to automatic and manual tests prior to deployment to our active production systems.
- Firewalls: Minddistrict uses a multilayered firewall solution to restrict access to permitted users and controlled processes.
- Access Control: Access of staff to our app requires two-factor authentication, and role-based access is applied to ensure only authorised staff is allowed to certain environments or data.
- Logging and Auditing: Central logging systems capture and archive internal systems accessincluding authentication attempts.
- Encryption in Transit: By default, Minddistrict has Transport Layer Security (TLS) enabled to encrypt traffic between you and our e-health platform. All communications with our domains (minddistrict.com, mindistrict.co.uk and Minddistrict.de) are sent over TLS connections, which protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients. We strive to maintain the highest possible rating on SSL tests.
- Patching: we ensure critical security patches are applied to our systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.
- Third Party Scans: Our environments are continuously scanned using best of breed security tools. These tools are configured to perform application and network vulnerability assessments, which test for patch status and basic misconfigurations of systems and sites.
- Penetration Testing: External organisations perform periodic penetration tests. We select highly skilled and recognised suppliers to ensure the high level of security and follow up on findings.
Organisational & Administrative Security
- Information Security Policies: We maintain internal information security policies, including incident response plans, and regularly review and update them.
- Employee Screening: We perform background screening on employees. Also all of our Employees have signed maintain confidentiality and abide to our internal policies.
- Training: We provide security awareness and technology training for employees.
- Service Providers: We screen our service providers and require them to use appropriate confidentiality and security obligations depending on the circumstances.
- Access: Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis, following our policy.
Software Development Practices
- Compatibility: We strive to keep Minddistrict solutions compatible with various operating systems such as Windows, Android and iOS. Also Minddistrict participates active in various compatibility projects such as `koppeltaal`, to facilitate customers connect solutions of Minddistrict with their environment and third party solutions.
- Coding Practices: Our engineers use best practices and industry-standard secure coding guidelines which align with the ` OWASP Top 10`.
- Deployment: We deploy code on regular basis, giving us the ability to react quickly in the event a bug or vulnerability is discovered within our code.
Handling of Security Breaches
Despite best efforts, no method of transmission over the internet and no method of electronic storage is 100% secure. We cannot guarantee absolute security. However, if Minddistrict learns of a security breach, we will notify affected customers and if necessary users so that they can take appropriate protective steps, following applicable EU legislation on privacy and data breach notification. Such notification may include providing email notices or posting a notice on our website if a breach occurs.
Keeping data secure cannot be done by Minddistrict alone. Security depends all parties, including both customers and all clients. They also need to maintain the security of their accounts by responsible use of passwords and use of our solutions in safe environments. Please update your devices and software to keep up with industry standards, as this is known to reduce the risk of being compromised. Customers should also ensure that they have sufficient security by using an information management security system and take appropriate measures to maintain a sufficient level of security for the data involved.
Upon request we can offer advice regarding the use of our solutions, but it is your responsibility as data controller, and/or in your best interest as data subject, to ensure that your data is processed in a safe, responsible and legitimate manner.
Due to the number of customers who use our service, specific security questions or custom security forms can only be addressed for customers purchasing a certain volume of licenses and solutions of Minddistrict. If your company has a large number of potential or existing users and is interested in exploring such arrangements, please contact our staff by e-mail, or mail to:
Jan Evertsenstraat 749
1061 XZ Amsterdam, The Netherlands
We will make sure your request is handled with due care.