Security Statement Overview
Keeping our customers' data secure is Buxton’s #1 priority. We take a multi-layered approach to information security that is known as “Defense in Depth.” Defense in Depth is a strategy that incorporates enterprise data protection best practices to ensure your information remains secure while in our environment. We want to ensure your data is treated with the utmost care from the time we receive it, until the time we delete it. We also embrace and enforce a philosophy of “least privilege” throughout our ecosystem to ensure that information is accessible to essential personnel. Finally, Buxton will never resell any information you have provided to a third party of any kind.
SOC 2, Type 2 + HITRUST Compliance
SOC 2 Type 2 +HITRUST reports are independent, third-party examination reports that help clients to understand Buxton's control environment. Buxton has completed the System and Organization Controls (SOC) 2, Type 2 +HITRUST examination from the American Institute of Certified Professional Accountants (AICPA). HITRUST is based on a rigorous set of information security requirements that is tailored to the protection of Protected Health Information (“PHI”) as well as other confidential data. Additionally, the HITRUST framework is designed to address components from over 40 authoritative sources for information security frameworks, including HIPAA, NIST, CIS, FedRAMP, GDPR, and ISO 27001. Buxton has taken significant steps to create, document, implement and monitor processes required to maintain a high level of data security and confidentiality. The examination process covers critical factors such as risk management, system operations, change management, data monitoring, confidentiality and more. The purpose of the examination is to demonstrate the controls Buxton has implemented are suitably designed and operate effectively to ensure the security of its system and the confidentiality of client data.
At Buxton, we take our clients’ concerns regarding data protection very seriously, and we therefore do not distinguish between client data that contains PHI and that which does not. We apply the same strict protocols to all client data regardless of its contents.
Our infrastructure and security teams are both AWS and Information Security certified. Our Executive Security Committee (ESC) includes our Chief Financial Officer, Chief Information Security Officer, Corporate Controller and the SVP of Systems Engineering. Security is our highest priority and enforced from the very top of the organization.
Incident Response Plan
- We have implemented a formal procedure for security events and have educated all our employees on our various policies.
- If a security event was detected, it would be reviewed by key security team members and escalated to our Executive Security Committee (ESC) if warranted. If additional investigation or resolution is needed, our Incident Response Team is notified and assembled to rapidly address the event.
- After a security event is identified, addressed, and resolved, we would conduct a post-mortem analysis. The analysis would be reviewed with the ESC and distributed to all appropriate parties. It includes action items that would make the detection and prevention of a similar event easier in the future.
Build Process Automation
- We have functioning and frequently used automation in place so that we can safely and reliably roll out changes to the Buxton Analytics Platform quickly and efficiently.
Our services and data are hosted in Amazon Web Services (AWS) facilities located in the USA. Buxton services have been built with disaster recovery, high availability, scalability, and reliability in mind. Buxton implements strong access control policies combined with stringent auditing to ensure that the principle of least privilege is enforced. Buxton has also implemented an immutable backup strategy to protect against many forms of cyber-attacks.
We have uptime of 99% or higher. For additional details about these metrics, please contact our corporate office anytime.
All client data is stored within the United States and is housed within a single tenant database that is dedicated to each client, at the point of ingestion. This makes cross contamination of data among our clients impossible. As data moves through to our production area, all data is transformed, summarized, de-identified, then stored in standard structures utilizing Buxton-generated encryption keys.
We have several unit and quality assurance tests in place to ensure our application works as expected and data is rendered accordingly.
Data retention policies are in place to ensure your data remains in our ecosystem for the least amount of time possible for the requested scope of work. Per your request, the original data provided can be destroyed and a certificate of data destruction can be provided.
Data ingestion and customer deliverables are transferred to and from Buxton employing our MFT process. File transfers utilize the SFTP protocol. Once data is ingested at Buxton, then all databases with client data utilize transparent data encryption (TDE). Connections between databases use SSL encryption. For transfers between Windows systems, we only use SMB3 with encryption. We are enforcing 256-bit disk encryption on all endpoints. We have disabled the use of USB removable storage devices. We utilize Data Loss Prevention (DLP) and Security information and event management (SIEM) with a 24/7 SOC to monitor traffic including deviation from normal behavior. We have implemented technical controls to prohibit mobile devices from connecting to the production network.
Buxton is served 100% over https. All external Buxton traffic is encrypted in motion. We have two-factor authentication (2FA) and strong password policies for VPN access.
Permissions and Admin Controls
Buxton enables permission levels to be set for each user within the Buxton Analytics Platform. This may include access to certain data elements or the ability to access certain features within the application.
We use a variety of tools to monitor the health of our entire ecosystem. Our ecosystem includes databases, distributed workers, load balancers, web servers and other mission critical infrastructure. All user access to the Buxton Analytics Platform is logged and reviewed as needed.
Actions and changes in the Buxton Analytics Platform are logged and tracked through an Enterprise Change Management System.
On a regular basis, we engage with third-party auditors to review our security protocols to test the design and operating effectiveness of key internal controls over a period of time. In addition, we introduce new controls to stay up to date with emerging needs.
We have implemented an array of cybersecurity tools from industry leaders to ensure that we employee a mix of tried-and-true best practices coupled with cutting edge methodology to protect the Buxton Analytics Platform and our client’s sensitive information.
Reporting Suspicious Activity
If you suspect or witness a suspicious event within the Buxton Analytics Platform, please contact our office. Our phone number is (817) 332-3681 or you can reach our Chief Information Security Officer at CISO@buxtonco.com.