Catalyst protects our users’ data from theft, disaster, and misuse by adhering to comprehensive industry standards and guidelines. Below is a list of features and measures Catalyst takes to ensure the security of users’ information and data.
Mobile Device Security
As Catalyst is a cloud-based data system, meticulous design and planning have gone into securing the mobile application.
- All traffic to and from the device is encrypted with industry-standard 4096-bit AES "bank-level" encryption. This prevents snooping on the internet traffic by unwanted third parties.
- All Protected Health Information (PHI) data (if sent to the device) is encrypted on the mobile device using keys that Catalyst securely manages centrally.
NOTE: Regardless of encryption in place, users have the option to NOT send PHI data to the device by entering a value in the Student Code field under Demographics, you can ensure that no identifying information is sent to the device. Click here for more information about assigning a Student Code.
- Trial data recorded on the device also never contains any PHI data. An example of the captured data can be seen below. This is the information that is transferred over the "wire".
Note about Public Hotspots
Catalyst uses SSL for both mobile devices and portals and is secure over public hotspots. Only a public key and encrypted messages are transmitted (and these too are signed by root certificate) during the setup of TLS, the security layer used by SSL. The client uses the public key to encrypt a master secret, which the server then decrypts with its private key. All data points are encrypted with a function that uses the master secret and pseudo-random numbers generated by each side.
- the data is secure because it is signed by the master secret and pseudo-random numbers.
- the mast secret and pseudo-random numbers are secure because it uses public-private key encryption when the TLS handshake occurs.
- the public-private key encryption is secure because:
- the private keys are kept secret.
- public-private key encryption is designed to be useless without the private key.
- the public keys are known to be legitimate because they are signed by root certificates, which either came with your computer or where specifically authorized by you (pay attention to browser warnings!).
Thus, your HTTPS connections and data are safe as long as:
- You trust the certificates that come with your computer.
- You take care to only authorize certificates that you trust.
- Our data centers can only be accessed by authorized personnel. All visitors require photo identification and access is controlled via fingerprint scanners.
Redundancy and Integrity
- Catalyst utilizes three data centers in the United States. All customer data are replicated amongst those three centers and backed up nightly to off-site backup locations. Catalyst data is protected from natural disasters, power failures as well as computer malfunctions.
- Catalyst does not delete any data. All data recorded in Catalyst are stored indefinitely.
Application Level Compliance
- The application (both device and portal) timeout after 20 minutes of inactivity.
- All passwords must meet specific complexity requirements, including upper AND lower case characters, as well as at least one numeric digit and special characters.
- Devices can be remotely wiped of Catalyst data if lost or stolen.
- Users and groups can be created to allow for more restricted security for specific users of the system, such as support staff.