Hosting Environment
CoachAccountable is hosted with INAP in a SOC 2-Certified data center located in the United States (Chicago, Illinois, to be exact), in a HIPAA-compliant hosting environment protected by a hardware Web Application Firewall. The split server architecture has the database located in a DMZ that is inaccessible to web traffic.
All web traffic to and from CoachAccountable is encrypted via TLS/SSL, mandated by HSTS (HTTP Strict Transport Security).
Outside of allowed web traffic, connection to the environment is only allowed via SSH to authenticated users who are logged into the VPN.
The CoachAccountable database is backed up nightly, and stored encrypted offsite with Amazon S3.
Regulatory Compliance
CoachAccountable is fully GDPR compliant. We do NOT have separate policies for users from parts of the world outside of the European Union, so all users worldwide enjoy the same protections and rights over their data and how it is used by CoachAccountable.
You can find complete details on what data we capture and how we use it in our Privacy Policy. Use of CoachAccountable is subject to our Data Processor Addendum, which outlines our mutual responsibilities in our handling of your data (and the data of your clients), as well as our operating procedures for secure data handling.
CoachAccountable is NOT HIPAA compliant. Our server environment is HIPAA compliant, and generally our policies and practices around data handling are in line with HIPAA regulations, BUT many of the requirements for HIPAA compliance are antithetical to a frictionless user experience that CoachAccountable is designed for. If you require HIPAA compliance, CoachAccountable is not the solution for you.
Our Operating Procedures for Data Handling
As CoachAccountable we are responsible stewards of all data you or your clients enter into our platform. As such, authorized staff have the ability to access customer data and will do so with discretion when requested, either to provide assistance or troubleshooting.
We tread very lightly with this access. Much like a professional plumber you might invite into your house to fix a sink, we go right to the issue with no detours to rifle through your drawers. All staff access to customer data is logged and periodically reviewed, and all staff are subject to this data security agreement.
User Access Controls
Owners of a CoachAccountable Team Edition account are able to add and invite other users to their account. Other users will have their own separate logins to the system. An owner can selectively grant fine-grained permissions about what a given other user can and can’t do (and see) within their account.
In addition to fine-grained permissions, an account owner (or authorized user) is able to specifically pair a given user with only select coaching clients, allowing effective siloing of users according to proper lines of visibility and access.
Getting Data Out
Ultimately you own all data you (and any users within your account) enter into CoachAccountable, and that data is easy to get out in a variety of formats.
This includes:
- Reports as CSV files
- Client records as portable HTML files
- All user uploaded files
- Account content in a raw, machine-readable format (JSON)