AICPA | SOC

Security Overview

The importance of protecting customer data cannot be understated. This page provides some insight on how we keep customer data secure, private, and accurate.

Network Perimeter

Sonic Boom Wellness, a Premise Health company, protects its boundaries with a combination of load balancers, firewalls, VPNs, and SSH bastion hosts.

Account Security

User passwords are stored using an irreversible cryptographic hash.

Complex passwords are enforced for our administrative portals, and companies may choose to enforce complex passwords to our user-based application portal.

SSO – We support Single Sign-On using SAML 2.0 in either IdP-initiated or SP-initiated configurations.

Encryption

At rest: Disks where customer data may reside are encrypted using 256-bit AES disk encryption.

In transit: Traffic to the Sonic Boom portals are encrypted in transit using TLS 1.2 or 1.3.

Physical Security

Our data centers have the following accreditations:

  • SOC 2 Type II
  • OIX-2 Certified
  • PCI
  • GLBA compliant
  • HIPAA compliant
  • HITECH compliant
  • FISMA Moderate

Operational Security

Our internal Security Operations Center is augmented by an industry-leading third-party managed detection and response service with 24/7/365 threat monitoring, alerting, validation, and proactive threat hunting.

Data-at-Rest encryption. In addition to server disks where customer data may reside, this includes every workstation and laptop. Encryption keys are stored separately from the data.

Penetration Testing. In addition to internal penetration testing, we utilize third-party penetration testing for validation of our security program.

Vulnerability Management and Patch Management Program. We perform daily scans using industry-leading tooling on our internal and external networks as well as weekly scans of each of our web applications. Remediation and/or installation of patches is prioritized by severity, and our agile processes allow for immediate patching of our applications and infrastructure after appropriate testing.

Authentication. Administrative and developer access requires two-factor authentication for remote access.

Access Control. Access to systems is granted on a ‘need-to-know’ and ‘least-privilege’ basis, with employees acquiring access only to those systems necessary to perform their job functions.

Change Control. Documented change requests are completed for bug fixes, enhancements and new development, as well as all changes to production infrastructure and configuration.

Audit Logging. Our system operations are logged extensively, and the logs are stored encrypted for at least one year. If needed, these logs may be mined to investigate incidents or to reconstruct a chain of events.

Organizational Security

We have a comprehensive set of information security policies in place, and employees are required to read and sign key policies upon hire and yearly thereafter.

All employees undergo regular security awareness training and phishing simulations.

All employees are thoroughly vetted using 3rd party background checks.

All employees sign a confidentiality agreement.

Compliance

HIPAA: Sonic Boom is HIPAA compliant.

SOC 2 – Type II:  Sonic Boom has received a favorable and unbiased opinion from a third-party auditing firm validating our SOC 2 compliance. Our SOC 2 – Type II report (Security, Availability, and Confidentiality Trust Service Principles) is available to customers and prospects under NDA.

GDPR: Sonic Boom has undergone third-party attestation of its GDPR compliance.

Highly Available Infrastructure

Redundancy: Sonic Boom maintains a highly available application tier utilizing redundant power circuits and backup battery systems, multi-path Internet, servers built with RAID+BBU arrays, redundant NIC, redundant PWS; databases are configured in either redundant or replicated clusters; application servers are behind redundant, dedicated, highly-available load balancers.

Recoverability: We keep multiple layers of on-site and off-site backups; encrypted, of course. We have documented business continuity and disaster recovery plans in place. Our disaster recovery plan is tested at least annually, and database backups are restored and verified daily.

Availability: Our uptime is 99.965% for the last 12 months as of December 2022. Our status page is available publicly at http://status.sbwell.com/.

Responsible Disclosure

If you discover a vulnerability, please contact us at [email protected] so that we can arrange a secure communications channel. Once we receive your report, we will keep you informed while we remediate the issue as quickly as possible. Your report will be kept confidential and your personal details will not be shared with third parties without your consent.

We ask that you:

  • Do not send confidential information unencrypted.
  • Do not modify or delete production data.
  • Do not cause outages or slowdowns (no automated tooling).
  • Do not reveal or publish the vulnerability until we agree on a mutually-agreed timeframe.

Do not use attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties.