Security Measures
Last Modified: April 1, 2025
Data security and privacy is a top priority and concern for us, our customers, and their customers.
Insycle has successfully completed a System and Organization Controls (SOC) 2 Type II audit, performed by Sensiba LLP (Sensiba). Developed by the American Institute of Certified Public Accountants (AICPA), the SOC 2 information security audit provides a report on the examination of controls relevant to the trust services criteria categories covering security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type II report describes a service organization’s systems, whether the design of specified controls meets the relevant trust services categories, and assesses the effectiveness of those controls over a specified period of time. Insycle’s SOC 2 Type II report did not have any noted exceptions and was therefore issued with a “clean” audit opinion from Sensiba.
Review our Trust Center to access the SOC 2 Type 2 report, Application Penetration Test report, Architecture Diagram, Cyber Liability Insurance, and related materials.
a) Access Control
i) Preventing Unauthorized Product Access
Outsourced processing: Insycle hosts its Service with outsourced cloud infrastructure providers. Additionally, Insycle maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement. Insycle relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: Insycle hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: Insycle implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Insycle’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through OAuth authorization.
ii) Preventing Unauthorized Product Use
Insycle implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Static code analysis: Security reviews of code stored in Insycle’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for penetration testing of the Insycle web application at least annually. The intent of these penetration tests is to identify security vulnerabilities and mitigate the risk and business impact they pose to the in-scope systems.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of Insycle’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
Background checks: Where permitted by applicable law, Insycle employees undergo a third-party background or reference checks. In the United States, employment offers are contingent upon the results of a third-party background check. All Insycle employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit: Insycle makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Insycle products. Insycle’s HTTPS implementation uses industry standard algorithms and certificates. Independently verified SSL rating of A+ is available here: https://www.ssllabs.com/ssltest/analyze.html?d=app.insycle.com
At-rest: Insycle stores user passwords following policies that follow industry standard practices for security. Insycle stored data is encrypted at rest.
c) Input Control
Detection: Insycle designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Insycle personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Insycle maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Insycle will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If Insycle becomes aware of unlawful access to Customer data stored within its products, Insycle will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Insycle is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Insycle deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Insycle selects, which may include via email or telephone.
d) Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online backups: All databases are backed up and maintained using at least industry standard methods. Data is backed up daily from the US-Eastern region to a US-Central region.
Disaster Recovery: Insycle maintains a disaster recovery plan that details how we sustain key product infrastructure in the event of a disaster. The disaster recovery plan is documented, updated, and tested annually as part of our SOC 2 compliance. The primary region is the US-East, and the secondary region is the US-Central.
System Reliability and Recovery: We provide real-time updates and historical data on system status via the Status Page.
Insycle’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Insycle operations in maintaining and updating the product applications and backend while limiting downtime.
e) Report Security Issues
We are committed to continuously enhancing our security posture. To report an issue or concern please contact us at: security@insycle.com