Data Privacy and Protection
Stannp processes personal data on behalf of clients in compliance with US privacy laws including CCPA, CPRA, and HIPAA. We employ 256-bit AES encryption for data at rest and TLS 1.2/1.3 for data in transit, achieving A+ ratings from Qualys SSL Labs. All cryptographic keys are managed through Azure Key Vault. Clients retain full control with the ability to manage and delete data at any time. We comply with state breach notification laws and HIPAA breach notification requirements.
Acceptable Use Policy
Access to Stannp systems is controlled through unique User IDs and passwords with individual accountability. All customer data is classified as confidential and handled in accordance with applicable privacy laws. Unauthorized access, system modifications, and data transfers are strictly prohibited. All devices run automated antivirus software that must not be disabled.
Record Retention and Data Management
Stannp maintains comprehensive record retention in compliance with federal and state privacy laws including HIPAA, CCPA, and state-specific regulations. Customers retain full control to manage and delete data at any time through the platform, subject to legal retention requirements. All data is stored on HIPAA-compliant cloud infrastructure with 256-bit AES encryption at rest and TLS 1.2/1.3 in transit.
Incident Response and Security Management
Stannp maintains comprehensive incident response procedures to rapidly detect, respond to, and recover from security incidents. Our SIEM system provides 24/7 monitoring with real-time alerts. State and regulatory breach notification laws are followed for all applicable incidents. Post-incident reviews document lessons learned and implement preventive measures.
Multi-Factor Authentication
Multi-factor authentication is mandatory on all systems accessing PHI or sensitive customer data. Every internal user must authenticate using multiple factors with no exceptions. MFA is available as a security enhancement for customer accounts. Supported methods include Time-Based One-Time Passwords (TOTP) via authenticator applications (Google Authenticator, Microsoft Authenticator) and SMS verification codes. Application sessions automatically timeout after 2 hours of inactivity, ensuring HIPAA automatic logoff compliance. All authentication activities are logged and monitored through our SIEM system with regular audits verifying compliance across all accounts.
Information Security
Stannp maintains robust information security management ensuring confidentiality, integrity, and availability of all data in accordance with HIPAA, CCPA, state-specific regulations, and ISO 27001 standards. All customer data is classified as confidential with least privilege access, and Protected Health Information (PHI) receives enhanced protections under HIPAA requirements. We implement comprehensive security measures including encryption, multi-factor authentication for PHI systems, regular audits and penetration testing, and immediate breach response with notifications as required by HIPAA and state laws.
Data Breach Response
Our comprehensive Data Breach Response Plan ensures prompt handling of security incidents through immediate assessment, containment, risk evaluation, regulatory notification, and post-incident improvement. We comply with all applicable state breach notification laws requiring notification without unreasonable delay.
Education and Security Awareness
All employees receive comprehensive annual security awareness training covering information security policies, HIPAA and state privacy regulations, threat recognition, data handling, and incident reporting. Role-specific training provides developers with OWASP Top 10 and secure coding practices, while compliance personnel receive specialized risk management and incident response training. HIPAA training is provided at induction with annual updates, delivered through multiple methods including courses, workshops, and our centralized SharePoint repository.
Asset Management
We maintain comprehensive asset management procedures compliant with HIPAA Security Rule physical safeguards, and device and media controls, tracking all assets throughout their lifecycle. Assets handling PHI are specifically flagged for enhanced monitoring, encryption, and access controls, with HIPAA-compliant facility security.
Vulnerability Assessment and Patch Management
Mandatory vulnerability scans cover all systems processing confidential information using Qualys, GitHub automated scanning, Azure Cloud Defender, and Security Scorecard, with monthly assessments and continuous SIEM monitoring. Discovered vulnerabilities are patched according to Microsoft's severity ratings: critical within 7 days, important within 14 days, moderate within 30 days, and low severity based on risk assessment. Automated patching and monthly compliance monitoring ensure all endpoint devices and production systems remain protected, supporting HIPAA technical safeguards requirements for PHI-processing systems.