2023-04-11 NOTICE: The following policy or plan is currently under internal review and may not be up-to-date or fully aligned with our organization's current practices or procedures. Please check back shortly, or contact us for more information.

Introduction

Fox and Geese LLC ("FOX", "Fox and Geese") operates multiple software products, including Versionista, Fluxguard, Fathom, Deep Dive Duck, and Needle X3. For many of these software products, we leverage the product name as a registered "Doing Business As" (D/B/A) trade name. As such, we interchangeably may use "Fox and Geese", "Fox", "Versionista", "Fluxguard", or our other established trade names in these policy materials.

Fox and Geese is committed to ensuring the confidentiality, privacy, integrity, and availability of all digital information it receives, maintains, processes and/or transmits on behalf of its Customers. As providers of compliant, hosted infrastructure used by technology vendors, developers, designers, agencies, custom development shops, and enterprises, Fox and Geese strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by Fox and Geese to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit data for Fox and Geese Customers.

Fox and Geese provides secure and compliant cloud-based software. This hosted software falls into two broad categories: 1) Platform as a Service (PaaS) and 2) Platform Add-ons. These Categories are cited throughout policies as Customers in each category inherit different policies, procedures, and obligations from Fox and Geese.

Platform as a Service (PaaS)

PaaS Customers utilize hosted software and infrastructure from Fox and Geese to deploy, host, and scale custom developed applications and configured databases. These customers are deployed into compliant containers run on systems secured and managed by Fox and Geese. Fox and Geese does not have insight or access into application level data of PaaS Customers and, as such, does not have the ability to secure or manage risk associated with application level vulnerabilities and security weaknesses. Fox and Geese makes every effort to reduce the risk of unauthorized disclosure, access, and/or breach of PaaS Customer data through network (firewalls, dedicated IP spaces, etc) and server settings (encryption at rest and in transit, OSSEC throughout the Platform, etc).

Compliance Inheritance

Fox and Geese provides hosted software infrastructure for its Customers. Fox and Geese's service offerings are available on AWS, Azure, Rackspace, and SoftLayer.

Fox and Geese signs Business Associate Agreements (BAAs) and Master Services Agreements (MSAs) with its Customers. These BAAs outline Fox and Geese obligations and Customer obligations, as well as liability in the case of a breach.

Fox and Geese does not act as a covered entity. When Fox and Geese does operate as a business associate (not a subcontractor), Fox and Geese does not interface with users to obtain or provide access to PHI or PII. Access to PHI or PII is through our customers' applications.

Certain aspects of compliance cannot be inherited. Because of this, Fox and Geese Customers, in order to achieve full compliance or HITRUST Certification, must implement certain organizational policies. These policies and aspects of compliance fall outside of the services and obligations of Fox and Geese .

Fox and Geese Organizational Concepts

The physical infrastructure environment is hosted at various public cloud providers. The network components and supporting network infrastructure are contained within the public cloud providers' infrastructures and managed by said public cloud providers. Fox and Geese does not have physical access into the network components. The Fox and Geese environment consists of Cisco firewalls; nginx web servers; Javascript, Perl, Python, and Go application servers; Percona, MySql, DynamoDB, Aurora, PostgreSQL, and other database servers; Logstash logging servers; Linux Ubuntu monitoring servers; Windows Server virtual machines; Chef and Salt configuration management servers; OSSEC IDS services; Docker containers; and developer tool servers running on Linux Ubuntu.

Within the Fox and Geese Platform on public cloud providers, all data transmission is encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers - those hosting Docker containers, databases, APIs, log servers, etc. Fox and Geese assumes all data may contain ePHI or PII, even though our Risk Assessment does not indicate this is the case, and provides appropriate protections based on that assumption.

In the case of PaaS Customers, it is the responsibility of the Customer to restrict, secure, and assure the privacy of all PHI or PII data at the Application Level, as this is not under the control or purview of Fox and Geese .

The data and network segmentation mechanism differs depending on the primitives offered by the underlying cloud provider infrastructure.

The segmentation strategies employed by Fox and Geese effectively create RFC 1918, or dedicated, private segmented and separated networks and IP spaces, for each PaaS Customer and for Platform Add-ons.

Additionally, IPtables is used on each server for logical segmentation. IPtables is configured to restrict access to only justified ports and protocols. Fox and Geese has implemented strict logical access controls so that only authorized personnel are given access to the internal management servers. The environment is configured so that data is transmitted from the load balancers to the application servers over a TLS encrypted session.

In the case of Platform Add-ons, once the data is received from the application server, a series of Application Programming Interface (API) calls is made to the database servers where the PHI or PII resides. The PHI or PII is separated into PostgreSQL and Percona databases through programming logic built so that access to one database server will not present you with the full PHI or PII spectrum.

The VPN server, nginx web server, and application servers are externally facing and accessible via the Internet. The database servers, where the PHI or PII resides, are located on the internal Fox and Geese network and can only be accessed through a bastion host over a VPN connection. Access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business-justified reason. Remote access to internal servers is not accessible except through load balancers.

All Platform Add-ons and operating systems are tested end-to-end for usability, security, and impact prior to deployment to production.

Requesting Audit and Compliance Reports

Fox and Geese, at its sole discretion, shares audit reports, including its Corrective Action Plans (CAPs), with customers on a case by case basis. All audit reports are shared under explicit NDA in Fox and Geese format between Fox and Geese and party to receive materials. Audit reports can be requested by Fox and Geese workforce members for Customers or directly by Fox and Geese Customers.

The following process is used to request audit reports:

  1. Email is sent to legal@versionista.com. In the email, please specify the type of report being requested and any required timelines for the report.
  2. Fox and Geese staff will log an issue with the details of the request into the Fox and Geese Quality Management System. The Fox and Geese Quality Management System is used to track requests' status and outcomes.
  3. Fox and Geese will confirm if a current NDA is in place with the party requesting the audit report. If there is no NDA in place, Fox and Geese will send one for execution.
  4. Once it has been confirmed that an NDA is executed, Fox and Geese staff will move the issue to "Under Review".
  5. The Fox and Geese Security Officer or Privacy Officer must Approve or Reject the Issue. If the Issue is rejected, Fox and Geese will notify the requesting party that we cannot share the requested report.
  6. If the issue has been Approved, Fox and Geese will send the customer the requested audit report and complete the Quality Management System issue for the request.

Version Control

Refer to the GitHub repository at https://github.com/foxandgeese/policies for the full version history of these policies.