Security at MedsEngine 

At MedsEngine, security is a central aspect of our work. Our security teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors. Our policies, practices, and technologies are designed to safeguard your data across MedsEngine products and services.

Our policies are based on Microsoft's Zero Trust Principles.

Verify explicitly so that only trusted identities perform intended and allowed actions that originate from expected locations.

Use least-privilege access for the right identities, with the right set of permissions, for the right duration, and to the right assets.

Assume breach of security controls and design compensating controls that limit risk and damage if a primary layer of defense fails.

Data Protection

Heart Icon

Data at rest

All datastores with customer data, in addition to S3 buckets, are encrypted at rest

Heart Icon

Data in transit

MedsEngine uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by Microsoft and DigiCert.

Heart Icon

Security Management

Encryption keys are managed via Microsoft's Key Vault Managed Hardware Security Modules (HSMs),

Application secrets are encrypted and stored securely via Microsoft's Key Vault, and access to these values is strictly limited.

Product security

Heart Icon

Penetration testing

MedsEngine engages with penetration testing consulting firms at least annually. All areas of the MedsEngine product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.

Heart Icon

Vulnerability scanning

MedsEngine requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC):

  • Static analysis (SAST) testing of code during pull requests and on an ongoing basis
  • Dynamic analysis (DAST) of running applications
  • Network vulnerability scanning
  • Software composition analysis to identify known vulnerabilities in our software