Security
Data security
Data in transit
All traffic is encrypted using strong, standards-compliant TLS v1.2 ciphers, with forced SSL and HSTS. Endpoints are supported by AWS Elastic Load Balancers which only support valid TCP requests, meaning DDoS attacks such as UDP and SYN floods do not reach the app layer. Communication with vendors server-side is authenticated via secrets stored in a secure Key Management System.
Data at rest
Database volumes are encrypted at rest using AES-256 managed keys and files stored in S3 buckets are encrypted with SSE-S3 managed keys. Security credentials that provide access to the data are rotated frequently. S3 file data is versioned, and database backups are automatically created and preserved for up to 6 years. Backups are periodically tested to ensure restoration viability.
Application security
Penetration testing
This includes certificate verification and possible environment misconfigurations as well as ensuring that our system is built with best practice security measures in mind.
Fortuna Health regularly engages with some of the best application security experts in the industry for third-party penetration testing services. This testing process involves a thorough vulnerability and risk assessment of the deployed application.
Secure development
This includes certificate verification and possible environment misconfigurations as well as ensuring that our system is built with best practice security measures in mind.
Fortuna Health regularly engages with some of the best application security experts in the industry for third-party penetration testing services. This testing process involves a thorough vulnerability and risk assessment of the deployed application.
Infrastructure security
Intrusion detection
The Aptible-managed Network Intrusion Detection system monitors the VPC for potential network-level intrusions while the Host Intrusion Detection system monitors the stack hosts for intrusions including unauthorized SSH access, rootkits, file integrity issues, and privilege escalation. The Aptible team proactively responds to any issues that arise 24/7. All systems include a robust logging infrastructure at both the application and network level as well as internal usage of the Aptible platform, which is supported by MFA-authenticated role-based centralized IAM.
Container-level configuration
Our web app and database Docker containers run in private subnets, protected from being targeted directly by the internet, with internal endpoints providing private networking within the stack. Aptible provides managed host hardening, automatic security updates and patching, and network and host vulnerability scans. The containers are high-availability with automatic health checks and rollbacks, automatic Container Recovery, and automatic cross-AZ container scheduling to increase resiliency and reliability
VPC-level configuration
Our Aptible-managed VPC stack has its own isolated network which is private and not directly accessible by the internet. The VPC networks and hosts are secured with managed scanning, patching, and automatic security updates. The underlying AWS infrastructure provides additional security measures such as the Xen hypervisor, blocking unauthorized port scanning, AWS Shield Standard, and AWS host-based firewalls.
Data privacy
Clear communication
We will always be upfront with our users and communicate the way we intend to use their data in a clear, concise manner.
Regulatory compliance
Fortuna continuously assesses updates to regulatory and emerging frameworks to ensure continued compliance.
Looking to report a security concern?
