OpenMarkets Logo

Security & Privacy

Updated February 17, 2017

OpenMarkets understands the importance and critical nature of operating a secure infrastructure. We are in the business of fostering positive relationships between provider and supplier organizations, and we understand our success is built on a foundation of trust. We strive to ensure that user data is kept securely, and that we collect only as much data as is required to provide our services to users in an efficient and effective manner. The statements within this document provide a deeper review of the OpenMarkets approach.

To this end, OpenMarkets applies a tiered approach to securing it’s platform:

  • Application & User Security
  • Infrastructure
  • Operational

APPLICATION & USER SECURITY

Secure Data Transmission

Utilizing Secure Socket Layer (SSL) and Transport Layer Security (TLS) Encryption, all application transactions and user activity is performed over a secure, encrypted channel for communication. This is ensures the data transmissions are safe, secure and available only to the intended parties.

User Authentication and Authorization

All users on the platform are provisioned a unique login identifier that corresponds to their organization. All user access to the application and data is governed and restricted based on their role type and organization membership. Every unique login identifier is required to use a strong password that complies with minimum complexity requirements to reduce the threat of compromised entry in the application. Passwords, along with other sensitive data, are stored in an encrypted manner using the latest available security algorithms.

Data Portability

OpenMarkets subscribers have the ability to export their data sets through the application in several pre-defined formats - e.g., csv and pdf. The process for exporting the data is managed and controlled in a two-step process of creating a safe document free of viruses, as well as sending the exportable document over a secure data channel.

INFRASTRUCTURE

Data Center and Accreditations

OpenMarkets physical infrastructure is hosted and managed within the most updated cloud-based data centers. Our service providers continually manage risk and undergo recurring assessments to ensure compliance with industry standards. Our service providers have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Data Center Surveillance

Our data centers are staffed and monitored 24 hours a day, 7 days a week, all year round. All physical access to facilities is secured by trained security guards, audible visitation logs and the required entry requirements - e.g., verifiable identification materials and biometric controls. All aspects of the facilities and infrastructure are monitored including environmental variables that are critical to the success of a great data center operation - i.e., controlled temperature, smoke / fire detection.

Fault Tolerance & High Availability

OpenMarkets architecture has been designed to utilize the latest in cloud-based technology to greatly reduce the risk of unplanned outages to the infrastructure. Fully redundant network devices and connectivity points are built-in throughout the architecture - e.g., firewalls, routers, servers, power supplies, connectivity to storage area network (san) and wide-area network Internet connectivity. Additionally, our service providers have contracted arrangements in place to draw power from multiple backup points including batteries, large diesel generators and substations.

Network Security Protection

In an effort to protect all Clients, their users and maximize productivity via high availability, OpenMarkets takes several proactive measures to protect the integrity of the network:

Distributed Denial of Service (DDoS) Mitigation

Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.

Spoofing and Sniffing Protections

Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. OpenMarkets utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.

Port Scanning

Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked.

OPERATIONAL

Monitoring Services

The uptime of mission-critical services are continually monitored by contracted service providers with documented escalation procedures within OpenMarkets in the event of an unplanned outage.

Proactive Security Scans

Third party security testing of the application is performed by independent and reputable security consulting firms. Findings from each assessment are reviewed with the assessors, risk ranked, and assigned to the responsible team.

Environment Segregation

OpenMarkets clients and environments are segregated across multiple Development, Test, Demonstration and Production environments. This is to ensure the maximum level of testing can be performed without disrupting the Production environment.

Backups

Backups to the database occur hourly and are securely replicated to a centralized backup storage location within our data center service provider’s network. Our procedures are tested and restore workflow is predictable in the event a restore is needed in the production environment.

Application Development

OpenMarkets has adopted OWSAP Top10 defensive coding techniques and controls to reduce the threat of a malicious attack on our Clients managed infrastructure and software - i.e., SQL injection attacks, cross site scripting, and cross site request forgery.

Privacy and Compliance

OpenMarkets operational security efforts are led by a named Privacy & Compliance Officer who oversees all escalated matters and ensures timely resolution to reported incidents.

OpenMarkets is concerned about your privacy. The nature of the services provided on the Website requires that OpenMarkets collects and uses certain information about you. This Privacy Policy explains what personal information OpenMarkets collects from you from the Website, the manner in which OpenMarkets collects it, and the purposes for that collection. This Privacy Policy is designed to ensure that you are aware of how your personal information is being used and to provide you with choices about that use. By visiting the Website or submitting your personal information, you accept the terms described in this Privacy Policy. This Privacy Policy applies to information collected via the www.openmarkets.com Website and does not apply to information gathered through the OpenMarkets application, CAP Connect. The terms and conditions of the Client Subscription Agreement controls the collection and use of information entered into the OpenMarkets application, CAP Connect.

COLLECTION OF PERSONAL INFORMATION

When you register on our Website, we will ask you for certain personal information such as, for example, your address, telephone number, and e-mail address. If you send OpenMarkets any correspondence, such as emails, letters, or requests for technical support, OpenMarkets may retain the information they contain. If any third parties provide information to us about you, we will treat that information in accordance with this Privacy Policy. You may choose to disclose or not disclose the personal information we request during the registration process; however, if you choose not to disclose the requested information, we may not be able to provide you with some or all of the information or services you request.

AUTOMATED INFORMATION COLLECTION

OpenMarkets automatically tracks certain information about you based upon your behavior while visiting the Website. This information is used to better understand and serve you by responding to your particular interests and needs. This information may include the Uniform Resource Locator (URL) that you just came from (whether this URL is on the site or not), which URL you next go to (whether this URL is on the site or not), what browser you are using, and your IP address. OpenMarkets may collect this information and may store this session information about you on our system. Any such information associated with you personally is subject to this Privacy Policy. You can turn off the ability to receive any of these cookies by adjusting the browser on your computer. Most browsers offer instructions on how to reset the browser to reject cookies in the "Help" section of the toolbar. If you refuse cookies, however, certain functions and conveniences of the Website may not work properly.

HOW WE USE YOUR INFORMATION

We use the information collected automatically to obtain general statistics regarding the use of the Website and its specific web pages and to evaluate how our visitors use and navigate the Website. For example, we may calculate the number of people who use the Website, open our emails, and determine which pages are most popular. OpenMarkets uses the information you provide through the registration process to provide you with the information and services you request, to communicate with you on matters relating to the Website and your account, to provide necessary information to accrediting or certifying bodies, and other of our business affiliates (but only in connection with the information and services you request from us) to provide you with information about related services and/or products. OpenMarkets may also use information about you to resolve disputes, troubleshoot problems, or enforce our rights. At times, OpenMarkets may review the information of multiple users to identify problems or to resolve disputes. Opt-Out Policy: If you do not wish to receive certain communications from OpenMarkets you may opt out by declining the service offered or informing us that you no longer wish to receive such communications. We will comply with your request unless such communications are necessary for the administration of your account, required by law, or necessary to protect our rights.

SHARING WITH THIRD PARTIES

Some of your private information may be disclosed to third parties in order to provide the information and services that you request, and may be used by both OpenMarkets and third parties to provide that information and/or perform those services. You acknowledge that certain activities may require OpenMarkets to share your private information, and/or the activity’s results with the associated third party accreditor or entity providing board certification. We are not responsible for the use of any such information by such third party accreditor or entity providing board certification, including use by any of the same in a manner not intended when such information is disclosed to them. We may combine, in a non-personally-identifiable format, the information that OpenMarkets collects from you with information from other users to create aggregate data, which may be used by us for research purposes or shared with third parties. For example, OpenMarkets might inform third parties regarding the number of users of our Website and their collective interaction within the Website. The aggregate data that we may share does not contain any information that could be used to identify or contact you, and we require parties with whom we share aggregate data to agree that they will not attempt to make this information personally identifiable, such as by combining it with other databases. We will not disclose your personal information to any third party without your prior permission, except as otherwise permitted by this Privacy Policy or the End User License Agreement into which it is incorporated by reference.

OTHER DISCLOSURE

Technical and legal circumstances beyond our control could prevent OpenMarkets from ensuring that your information will never be disclosed in ways not otherwise described herein. For example, among other things, we may be required by law, regulation or court order to disclose information to government representatives or third parties under certain circumstances. If OpenMarkets is requested by law enforcement officials or judicial authorities to provide information on individuals, OpenMarkets may, without your consent, provide such information. In matters involving claims of personal or public safety or in litigation where the data is pertinent, OpenMarkets may use or disclose your personal information without your consent or court process. Unauthorized parties may unlawfully intercept or access transmissions despite any commercially reasonable security efforts by OpenMarkets. Even with such technology, no website is 100% secure. Further, corporate restructurings, sale of assets, merger, divestiture and other changes of control or financial status affecting the Website may require disclosure as an incidental result of a transfer of assets by operation of law or otherwise. Therefore, OpenMarkets does not promise, and you should not expect, that your private information shall remain private under all circumstances and you shall not hold OpenMarkets or its business associates liable for its failure to do so.

YOUR RIGHTS

You may at any time print, download, or request a printed copy of this Privacy Policy or the End User License Agreement into which it is incorporated by reference.

SECURITY

OpenMarkets uses commercially reasonable efforts to ensure the security of your personal information, but no method of transmitting or storing electronic data is ever completely secure, and OpenMarkets cannot guarantee that your information will never be accessed, used, or released in a manner that is inconsistent with this policy.

TRANSFER OF DATA OUTSIDE YOUR HOME COUNTRY

Your information will be stored, processed, and accessed in the United States. If you use the Website from outside of the United States, you consent to the transfer of your information to the United States (i.e., outside your country of residence).

CHANGES TO THIS POLICY

From time to time OpenMarkets may modify this Privacy Policy. You can view the most recent version of the Privacy Policy at any time by clicking the “Privacy Policy” link at the bottom of pages on the Website. Your continued use of the Website after any modification indicates your agreement to the new terms.

CONTACT US

If you have any questions that are not answered elsewhere on this site, if you would like to review the personally identifiable information we have collected about you, or if you believe that this policy has been violated, please contact Michael Fineberg at (866) 447-3270 or mfineberg@openmarketshealth.com. Our response to such in inquiries may be limited to information under our direct control.