Privacy and Security
Your security is our priority – safeguarding consumer data is integral to our commitment to trust and privacy.
Data at rest
Database volumes are encrypted at rest using AES-256 managed keys and files stored in S3 buckets are encrypted with SSE-S3 managed keys. Security credentials that provide access to the data are rotated frequently. S3 file data is versioned, and database backups are automatically created and preserved for up to 6 years. Backups are periodically tested to ensure restoration viability.
Data in transit
All traffic is encrypted using strong, standards-compliant TLS v1.2 ciphers, with forced SSL and HSTS. Endpoints are supported by AWS Elastic Load Balancers which only support valid TCP requests, meaning DDoS attacks such as UDP and SYN floods do not reach the app layer. Communication with vendors server-side is authenticated via secrets stored in a secure Key Management System.
Fortuna Health regularly engages with some of the best application security experts in the industry for third-party penetration testing services. This testing process involves a thorough vulnerability and risk assessment of the deployed application. This includes certificate verification and possible environment misconfigurations as well as ensuring that our system is built with best practice security measures in mind.
Secure development principles
In building the Fortuna platform, we follow best practice security principles. This starts with addressing the globally-recognized OWASP Top 10 application security risk vectors, but more generally extends to satisfying the ASVS and WSTG testing standards. We make use of high-quality static analysis tools like Snyk and Github Dependabot to assist in ensuring the security of our product.
Fortuna Health's Aptible-managed VPC stack has its own isolated network which is private and not directly accessible by the internet. The VPC networks and hosts are secured with managed scanning, patching, and automatic security updates.
The underlying AWS infrastructure provides additional security measures such as the Xen hypervisor, blocking unauthorized port scanning, AWS Shield Standard, and AWS host-based firewalls.
Fortuna's web app and database Docker containers run in private subnets, protected from being targeted directly by the internet, with internal endpoints providing private networking within the stack. Aptible provides managed host hardening, automatic security updates and patching, and network and host vulnerability scans. The containers have high-availability with automatic health checks and rollbacks, Container Recovery, and cross-AZ container scheduling to increase resiliency and reliability.
The Aptible-managed Network Intrusion Detection system monitors the VPC for potential network-level intrusions while the Host Intrusion Detection system monitors the stack hosts for intrusions including unauthorized SSH access, rootkits, file integrity issues, and privilege escalation. Aptible proactively responds to any issues that arise 24/7. All systems include robust logging infrastructure at the application and network level. These are supported by MFA-authenticated role-based centralized IAM.
At Fortuna Health, data privacy is of the utmost priority – we strive to be dependable guardians of all sensitive data entrusted to us.
We are always upfront with users and communicate the way in which we intend to use their data in a clear, concise manner.
Fortuna continuously assesses updates to regulatory and emerging frameworks to ensure continued compliance.
Looking to report a security concern?
If you believe you’ve found a security vulnerability in Fortuna's service, please let us know and we will work with you to resolve the issue promptly.