THIS SUPPORT ARTICLE REFERS EXCLUSIVELY TO THE NEW "RSVPIFY 3" FOUND AT HTTPS://APP3.RSVPIFY.COM. AN ENTERPRISE PLAN, AGREEMENT AND BAA IS REQUIRED FOR ANY ACCOUNTS HANDLING PHI OR POTENTIAL PHI.
As a leading private event management and scheduling platform, the safety and security of all of our user's data -- and that of their guests and patients -- is of paramount importance to us. We've compiled a set of frequently asked questions to address RSVPify's procedures, controls and handling of Protected Health Information (PHI).
Does RSVPify operate its own data centers?
No, RSVPify contracts with Amazon Web Services, and all data centers, physical data center security protocols, and server and network-level security operations and are under the purview of Amazon Web Services.
What data center security precautions are taken to ensure the safe handling of my data?
You can learn more about the controls and physical security operations of AWS here.
Will my data be stored in any AWS regions outside of the United States?
No, all U.S.-based client accounts are powered by AWS regions within the United States -- and all data is handled and physically stored exclusively within the United States.
Is RSVPify's AWS environment HIPAA compliant? Is RSVPify an AWS Business Associate?
Yes, RSVPify leverages HIPAA-compliant AWS servers and features in the delivery of our cloud-based services. You can learn more about AWS HIPAA compliance here.
RSVPify is an Amazon Web Services Business Associate.
Does my organization require a Business Associate Agreement (BAA) with AWS in order to use RSVPify?
No, RSVPify's Business Associate Agreement (BAA) with AWS covers your account and data with respect to the use of RSVPify's cloud-based services. A BAA with RSVPify, however, is required if your organization will be processing or uploading any PHI or potential PHI in its use of RSVPify.
Is my data encrypted?
All data associated with your account, including guest and patient data and registrations, is encrypted at rest.
All information sent or received is encrypted during transit using contemporary military-grade TLS/SSL standards.
Is my data backed up? Does RSVPify have a disaster recovery plan in place?
In the unlikely event of system failure and data loss, RSVPify can leverage auxiliary systems and data backups to allow for the timely execution of our disaster recovery plans.
At the conclusion of my contract with RSVPify, will my data be destroyed?
At the conclusion of your agreement with RSVPify, or at your request, RSVPify will permanently delete all registration-level data and any PHI associated with your account.
Prior to the deletion of your data, RSVPify will make reasonable attempts to alert you of pending deletion and encourage you to download and store any data that may require retention in compliance with U.S. Health and Human Services regulations and guidelines at your express discretion.
Note: It may take up to 90 days from the destruction of your data on RSVPify production-level servers before your data is also fully deleted from RSVPify backup methods. RSVPify backup storage is also secured within the AWS cloud.
Does RSVPify limit access to systems and data on an "as-needed" or "minimum-necessary" basis?
RSVPify limits staff and contractor access to systems and data sets required in the execution of individual job roles and responsibilities.
In order to support your account and your use of RSVPify services, you agree to grant RSVPify Support Staff access to your account and data on an as-needed basis.
Are RSVPify staff required to complete a security and confidentiality agreement? What IT security training must RSVPify staff undergo?
All RSVPify staff and contractors must certify their agreement to respect the security and confidentiality of all RSVPify data and any data associated with client accounts. RSVPify staff agree to access only information required to satisfy their job role
or the needs of a given request.
All RSVPify staff and contractors must undergo basic security and awareness training as recommended by U.S. Health and Human Services (HHS) guidelines.
Does RSVPify employ malware and virus detection?
Servers: RSVPify 3 isn't hosted on "servers" in the traditional sense of the word. To provide scalability and security, we deploy "images" to Lambda instances. These images are immutable -- and as such, unless locally compromised, don't allow for the possibility of remote malware installation or virus infection.
Database: RSVPify leverages AWS Relational Database Service. Malware and virus detection is managed by AWS.
Software Dependencies: RSVPify regularly scans its software dependencies for known security issues and applies patches as-needed.