Jane's Guide Here's all the help you need to use Jane.

Cloud Security White Paper

We've built Jane with security and privacy as our main focus. It's what drives our culture, training, and hiring processes. And shapes how we've used technology to protect and secure data.

This white paper outlines Jane's approach to security and how we've ensured that securing Jane data has and always will continue to be our top priority.


Data Hosting

Amazon Web Services Jane's physical infrastructure is hosted and managed within Amazon Web Services' secure data centers. We utilize their built-in security, privacy, and redundancy features, including AWS's ability to perform regular backups. Amazon Web Services complies with leading security policies and frameworks, including ISO 27001, SOC 1 and SOC 2.
Resiliency Hosting on AWS allows Jane to remain resilient, even if one location goes down. AWS spans across multiple data centres within a particular region (called availability zones), which allows Jane servers to remain resilient in the event of a failure, including natural disasters or system failures.
Defense In Depth We've enabled AWS's security features like intrusion protection system and Web Application Firewall.
Encrypting Data Data that passes through Jane is encrypted, both at transit and at rest. We also encrypt all volumes where customer data is stored, and we also individually encrypt all backups. Data in transit is encrypted using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM and at rest using AES 256 encryption.
Datacenter Security AWS follows industry best practices and has strict physical access policies for the data centre building. For more information see Amazon's documentation on their physical access controls: AWS Data Layer
Data Storage All Jane accounts are individually stored within their own database schema.
Continuous Monitoring Jane has continuous and automated monitoring and vulnerability scanning on the AWS infrastructure so that we are proactive and have a complete awareness of any potential vulnerabilities, incidents, and threats.
Customer Backups We use mirrored database servers for real-time backups and perform daily backups. Backup files are stored utilizing AWS redundancy across multiple availability zones. All backups are encrypted in transit and at rest.
Data Deletion When it comes to deleting data, we do so in a way that does not allow for reconstruction by using NIST 800-88 guidelines to destroy data.


Application Security

Account Ownership As per terms of use, all Jane data is owned by the Account Owner. In addition, the Account Owner controls and configures all staff permissions and access levels. View our staff access level feature here: Staff Access Levels
Account Security Jane secures your credentials by using leading industry standards to salt and hash your credentials before it is stored. We also have additional documentation on our security features found here: Security Features
Activity Log Feature The Account Owner has access to the Activity Log that gives them a detailed breakdown of all Staff activity. This can be filtered by date range, staff member, and the type of data that they access.
Data Protection Jane will continue to secure and protect your data so long as you have a Jane account and unless instructed otherwise by the Account Owner. If the Account Owner decides to close their Jane account, we can export your data, free of charge, or we can place the account on hold at a lesser fee.
Development Lifecycle Jane developers follow a strict policy to ensure that Jane features and updates are secure my design, in development, and after deployment. Jane releases weekly (or sometimes more) updates that are heavily tested by our QA Team before deployment. All updates do not require downtime.
Third-Party Integration Jane's optional third-party services are assessed thoroughly before implementation to ensure that they meet our security requirements. No medical data or patient health information is sent to our third-party services. View our optional third-party integrations here: Jane's Integrations


Security Compliance

Regulatory Compliance Jane complies with applicable legal and regulatory requirements as well as best practices. This includes Jane's compliance with all Canadian Privacy laws, GDPR, HIPAA, and Standard Codes of Practice across multiple health professions.
PCI compliant Jane never stores or processes credit card information. This is completed by an optional integration by Stripe or Payfirma, which are PCI compliant. Additional information can be found here: Is Jane PCI-Compliant?
Dedicated Team We have a dedicated Security and Privacy Team that regularly reviews our policies, updates training and ensures that Jane is one of the top EMR companies to secure data.
Security Culture At Jane, we implement regular security training. The training that we provide is developed by our very own Security and Privacy Team, which covers our information security policies, security best practices, and privacy principles.
Confidentiality Jane employees sign a confidentiality agreement upon hire. We also have a strict policy that we only access your account when you request assistance from us. Furthermore, chart access is only visible to our senior managers. In either case, all access is logged.
Background Check All Jane employees complete a strict background check prior to employment.
Recovery Plan Jane maintains a Disaster Recovery Plan, which is regularly reviewed and updated by our Security and Privacy Team.
Incident Response Program Jane maintains an incident response program that defines the conditions and procedures we have in place to assess any relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events.
Privacy Breach Policy We follow the BC Privacy Commissioner's 4 Step Privacy Breach Response Protocol. The documentation can be found here: Privacy Breach Policy


Resources

Here are additional resources that you might find helpful:

If you have any questions for our team, please contact us at support@jane.app.