myPortal.Team, LLC (myPortal.Team) is committed to developing technology that simplifies and secures the document request and delivery process. The technology is available and administered through myPortal software-as-a-service web application.
The web application is a document transfer and storage portal designed to securely manage documents and improve communication on collaborative projects. The objectives of the web application are to enhance the user experience, reduce administrative frustration, and provide enhanced transparency into the status of a project.
At myPortal.Team we make security a top priority. We are transparent with our security practices so that our users can trust us with their data.
Description of Services Provided
The application allows users to manage critical aspects of the request process, providing enhanced transparency.
- Assign responsibilities, due dates and the priority of specific requests,
- Manage who has the ability to view specific items,
- Drag and drop documents from popular formats directly into specific requests,
- Centralize communications to enhance collaboration and reduce the need for email and meetings,
- Utilize smart updates, controlling the frequency with which you want to be notified, and
- Manage multiple projects utilizing dashboards featuring critical key performance indicators (KPIs).
Actions taken by specific users automatically move the workflow forward. The history of actions taken is logged, increasing transparency and reducing disputes – it’s clear to everyone the actions each user performed.
myPortal.Team’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. myPortal.Team has established an organizational structure that includes consideration of key areas of authority and responsibility, as well as appropriate lines of reporting.
SOC 2 (Type 2) Report
myPortal.Team undergoes an independent evaluation in the form of a SOC2 Type 2 report on its description of the myPortal application and the suitability of the design and operating effectiveness of controls. This means that myPortal.Team has had an independent validation of our security controls in accordance with the American Institute of Certified Public Accountants’ applicable Trust Services Principles and Criteria.
Our SOC 2 report is available upon request and under NDA. Please contact us at support@myPortal.Team.
Risk analysis and risk management are recognized as important components of myPortal.Team’s corporate compliance and security programs. The risk management process is intended to support and protect the security, functionality and operation of the myPortal application.
Conducting thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of the myPortal application and developing strategies to efficiently and effectively mitigate the risks identified in the assessment process are integral to the mission of myPortal.Team.
myPortal.Team has a formal risk assessment process to establish its security objectives and identify and manage risks that could affect myPortal.Team’s ability to secure tenant data. Proposed changes are evaluated to determine if they present a security risk and what mitigating actions, if any, must be performed.
Software Development Life-Cycle
Once changes have been evaluated through the risk assessment process, approved changes are moved into development. Code is managed through a version-controlled repository. Code changes are subjected to peer review and tested in a separate test environment prior to migration to production. When the testing is complete, an approval process authorizes the change to production. A post-implementation review is performed for changes migrated to the production environment.
Emergency changes follow the formalized change management process but at an accelerated timeline.
myPortal.Team has several controls in place to ensure employees and contractors with access to the production environment are properly qualified. Background checks are performed for users that will have access to myPortal.Team systems. Potential employees are evaluated through resumes, reference checks, and an interview process.
Users that have been granted access are required to sign an acknowledgement and acceptance of the following on an annual basis:
- Confidentiality Agreement,
- Change Management and System Development Policy,
- Information Security Policy, and
- Security Incident Response Plan.
Upon termination from myPortal.Team, all access to myPortal.Team’s systems is removed.
Security and Privacy Training
While working at myPortal.Team, personnel are required to participate in security awareness training on at least an annual basis. They are also required to acknowledge that they have read and will adhere to myPortal.Team’s ethics and confidentiality agreement at least annually. Their acknowledgement includes the acceptance of their responsibility to behave in an ethical manner, protect myPortal.Team’s confidential information, and adhere to policies and procedures. In the event of a potential security incident, personnel are required to report the incident to specified internal teams. Failure to comply with the policies and procedures may result in consequences, up to and including termination.
The myPortal physical production environment is hosted entirely at Azure. Azure is deployed in Microsoft regional datacenters. These datacenters are protected by layers of defense-in-depth security that include perimeter fencing, video cameras, security personnel, secure entrances, and real-time communication networks. This multi-layered security model is in use throughout every area of the facility, including each physical server unit.
Our storage and databases have been established consistent with Azure’s best practices availability paired regions methodology. This includes PaaS, Geo-Redundant Storage (data is automatically replicated three times within the primary region, and three times in the paired region), SQL Databases (SQL Standard Geo-Replication, you can configure asynchronous replication of transactions to a paired region), and Azure Resource Manager (Resource Manager inherently provides logical isolation of service management components across regions).
The primary physical location of our third party site is Microsoft Azure (Azure): South Central US (Austin). Backups are maintained at both Primary and Recovery Sites. Recovery site is Azure: North Central US (Chicago). myPortal.Team does not have any physical access to the servers employed through Azure. See Physical Infrastructure Security protocols at Azure.
Secure Third-Party Data Centers
myPortal.Team utilizes Azure as its third-party hosting provider. Azure provides Cloud Solutions that comply with the mandates, standards and acts set forth to regulate and protect the industries that host with them.
Azure has the most comprehensive compliance coverage of any cloud provider with 50 compliance offerings. Azure embeds security, privacy and compliance in its development methodology. Azure has been recognized as the most trusted cloud for U.S. government institutions, including a FedRAMP High authorization that covers 18 customer-facing Azure services.
Microsoft covered cloud services are audited annually against the SOC reporting framework by independent third-party auditors. The audit for Microsoft cloud services covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service
Microsoft has achieved SOC 1 Type 2, SOC 2 Type 2, and SOC 3 reports.
The SSL/TLS protocol supported by myPortal.Team is TLS v1.2 through Azure web services.
Data at Rest/Transit
Azure Storage provides a comprehensive set of security capabilities which together enable developers to build secure applications. Data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPs, or SMB 3.0. Storage Service Encryption (SSE) provides encryption at rest, handling encryption, decryption, and key management in a totally transparent fashion. Data is encrypted using 256-bit AES encryption, one of the strongest block ciphers available.
SSE works by encrypting the data when it is written to Azure Storage, and can be used for block blobs, page blobs and append blobs. It works for the following:
- General purpose storage accounts and Blob storage accounts
- Standard storage and Premium storage
- All redundancy levels (LRS, ZRS, GRS, RA-GRS)
- Azure Resource Manager storage accounts (but not classic)
- All regions
Web services are shared. Databases are not shared. Document storage is shared but is obfuscated through the use of unique identifiers and the meta data for all documents is stored in database. Azure has standard Intrusion Detection Systems and Intrusion Protection Systems (IDS / IPS) as part of their network security infrastructure. myPortal.Team also employs Azure Security Center with Advanced Threat Detection to monitor events.
System Monitoring, Logging, and Alerting
myPortal.Team monitors servers to retain and analyze a comprehensive view of the security state of its production environment. myPortal.Team collects and stores logs for analysis. Logs are stored on a separate network. Access to the logs is restricted. Alerts are examined and resolved based on their priority.
myPortal.Team has an obligation to effectively protect the confidential information entrusted to it by employees and clients. Using complex passwords is a key step toward effectively fulfilling that obligation. Passwords used to access the myPortal.Team network must be at least 8 characters long, contain at least one uppercase letter and one number or special character. Passwords expire every 90 days. When a password expires, or a change is required, myPortal.Team personnel create a new password that is not identical to the last 10 passwords previously employed. Passwords stored electronically may not be stored in readable form where unauthorized persons might discover them. Passwords may not be written down.
myPortal.Team personnel are prohibited from accessing customer data without user permission. To minimize the risk of data exposure, myPortal.Team only stores customer data in the production environment, and we adhere to the principle of least privilege – myPortal.Team personnel are only authorized to access data that is necessary to fulfill their current responsibilities. Quarterly, a review is performed to ensure the access granted is appropriate for each user based on their job responsibilities.
myPortal.Team protects its workstations with the latest algorithm-based technology to prevent malware, viruses and ransomware from leading to a keylogger, crypto-locker, data loss or leakage event.
myPortal.Team employs a mobile device management system (MDM). Any mobile tablet or phone that connects to myPortal.Team’s email system is required to enroll in the MDM. Devices enrolled in the MDM can be remotely wiped.
Application Penetration Testing
As part of our threat and vulnerability management, myPortal.Team engages a third-party to perform application penetration testing at least annually. Penetration testing is an all-encompassing security evaluation that measures how well an organization’s security posture stands up to malicious external and internal threats. Testing is performed through a combination of automated and manual testing in order to identify vulnerabilities. Performing penetration testing on an annual basis is considered a security best practice and an important component of a strong security program. Risks identified through the penetration testing exercise are addressed through myPortal.Team risk assessment and change management processes.
Default passwords are not used; new users are required to establish their password in connection with their account setup. myPortal.Team never has access to a user’s password. Minimum password requirements are set and are subject to change based on each tenant’s settings. Default settings for passwords require at least 8 characters, containing at least 1 number, 1 upper case letter, and 1 lower case letter. Stored passwords are encrypted using a hashing algorithm (HMAC-SHA1).
Administrators can perform the following functions:
- Manage users from a central administration interface that allows them to see user status, deactivate user, creation last login, manage individual user permissions among other functions;
- Access audit logs, which provides for the ability to sort, filter and export the data for further analysis;
- Manage site-wide settings such as defaulting the creation of items to private, modify password complexity requirements, and specifying user lockout settings; and
- Establishing role permissions to align with tenants’ system of quality control / policies.
Users can determine who can access distinct categories of data like Engagements, Requests and related files. Users can limit access by marking individual Requests as private, or by restricting a user to only Requests to which they are assigned. Users can also see a history of key actions taken as well as the last time a specific user accessed an Engagement.
Disaster Recovery and Business Continuity
At least annually, myPortal.Team completes its risk assessment, business impact assessment and strategy. myPortal.Team’s primary risk relates to the appropriate selection and structure of our data centers.
myPortal.Team’s storage and databases have been established consistent with Azure’s best practices availability paired regions methodology. This includes PaaS, Geo-Redundant Storage (data is automatically replicated three times within the primary region, and three times in the paired region), SQL Databases (SQL Standard Geo-Replication, and asynchronous replication of transactions to a paired region), and Azure Resource Manager (Resource Manager inherently provides logical isolation of service management components across regions).
myPortal.Team will assist tenants that are HIPAA Covered Entities and Business Associates in carrying out their HIPAA related security obligations and compliance, including the execution of a Business Associate Agreement. myPortal.Team does not extract data, and therefore handles all data according to the same security standards.
Third Party Vendors
myPortal.Team maintains a vendor management program to ensure that third parties comply with confidentiality requirements and applicable policies and procedures. Vendors are evaluated, and risk rated based on their impact on the security of myPortal.Team’s production environment. myPortal.Team, monitors the third party by conducting reviews before engagement and at least annually thereafter for high risk vendors.
Report a Security Concern
Email us at support@myPortal.Team