TABLE OF CONTENTS

• Security Overview
• Data Encryption and Protection
• Access Control and Authentication
• Compliance and Certifications
• Incident Response and Monitoring
• Data Backup and Recovery
• Third-Party Security
• Customer Responsibilities
• Security Updates and Patch Management
• Additional Security Features
• Security Best Practices
• Reporting Security Concerns

Security Overview

How do we protect sensitive and confidential information?

• We implement access controls, encryption, network segmentation, and regular security audits to protect sensitive information.

How do we respond to security vulnerabilities?

• We respond to identified security vulnerabilities within 24 hours, deploying patches or updates as needed.

Do you conduct third-party security assessments?

• Yes, we engage in third-party assessments for SOC 2. 
• Our selected hosting infrastructure providers are fully compliant with ISO 27001 and SOC 2.

How do you ensure compliance?

• Our hosting services comply with relevant data protection regulations (e.g., GDPR, HIPAA).

What security measures are in place?

• Our security measures include firewalls, intrusion detection systems, and regular security audits.

Data Encryption and Protection

Is the SQL database encrypted?

• Yes, SQL databases are encrypted to ensure data security.

What encryption standards are used?

• We use industry-standard encryption protocols (e.g., AES-256) with robust key management practices for data security.

Access Control and Authentication

How is data and service access managed?

• Access to your data and services is guaranteed 24/7, barring any unforeseen outages.

How is user account management handled?

• Creating, suspending, and deleting user accounts can be done within a few hours. Specific costs will depend on your subscription plan.

How are access controls managed?

• We use role-based access controls (RBAC) to manage permissions and ensure data security.

Are local admin rights required?

• The client application does not require local admin rights on each workstation.

Compliance and Certifications

Do you conduct third-party security assessments?

• Yes, we engage in third-party assessments for SOC 2. 
• Our selected hosting infrastructure providers are fully compliant with ISO 27001 and SOC 2.

How do you ensure compliance?

• Our hosting services comply with relevant data protection regulations (e.g., GDPR, HIPAA).

Incident Response and Monitoring

What happens in the event of a major outage?

• In case of a major outage at a cloud provider, our disaster recovery plans ensure minimal impact, with services restored swiftly using backup data.

How is monitoring handled?

• We perform continuous monitoring of our infrastructure for performance, security, and compliance.

Data Backup and Recovery

How are backups taken and stored on our hosted platform?

All products

• Backups of client production databases are continuous. We retain Point-in-time-Restore backups for up to 14 days.

          We retain weekly, monthly, and annual backups for long-term retention:

• Weekly backups kept for 12 weeks.
• Monthly backups (Week 1) kept for 12 months.
• Annual backups (Week 1) kept for 7 years.

• Three replicas of the backup data are maintained to protect it against hardware failures via GRS
• Geo-redundant storage (GRS): Copies backups synchronously three times within a single physical location in the primary region. Then it copies the data asynchronously three times to a single physical location in the paired secondary region.

  The result is:

  • Three synchronous copies in the primary region.
    

  • Three synchronous copies in the paired region that were copied over from the primary region to the secondary region asynchronously.

• We do not store backups outside of the customers elected data location.

Evolve Plus

• Backups of documents are taken each day.

- We retain daily backups for 2 weeks.

- We retain weekly backups for 12 weeks.

• Due to the nature of the document management and versioning in the software, by default, all previous versions are retained and backed up as per the above schedule.

Evolve Go

• Smokeball manage the backup of your documents in their cloud systems. Their servers are backed up frequently.  Please see Security Policy - Smokeball for more information.

How do clients access backups?

• On our hosted platform PracticeEvolve manages all backups internally, and clients do not have direct access to them. This includes the implementation of necessary security measures such as MFA for accessing our secure Azure vault where the backups are stored.
• All backup and security processes are handled by our team to ensure data integrity and protection.
  

How often are backups tested?

• Backup and restore processes are tested monthly
• Full restoration and recovery tests of key server configurations and data from backups are conducted bi-annually to ensure reliability.

What is the process for data restoration from backup?

• In the event of a major data loss, we can restore your data (unaltered) from a backup within 24-48 hours.

What happens if we run out of space?

• Additional storage can be provisioned as needed if you run out of space.

Third-Party Security

Do you conduct third-party security assessments?

• Yes, we engage in third-party assessments for SOC 2. 
• Our selected hosting infrastructure providers are fully compliant with ISO 27001 and SOC 2.

Customer Responsibilities

Who is responsible for decommissioning the old PE server?

• Decommissioning the old PE server will be your responsibility, though we can provide support and guidance as needed.

How is record purging handled?

• Records are purged based on your retention policies and regulatory requirements, typically on a periodic basis (e.g., quarterly or annually).

Security Updates and Patch Management

How are Windows updates and service downtime managed?

• Windows updates are managed to avoid any service downtime.

Additional Security Features

What security measures are in place?

• Our security measures include firewalls, intrusion detection systems, and regular security audits.

Are there additional infrastructure requirements?

• Users may need VPN access or secure internet connections for remote access. No significant additional costs are expected.

Security Best Practices

How do we protect sensitive and confidential information?

• We implement access controls, encryption, network segmentation, and regular security audits to protect sensitive information.

What encryption standards are used?

• We use industry-standard encryption protocols (e.g., AES-256) with robust key management practices for data security.

How do you respond to security vulnerabilities?

• We respond to identified security vulnerabilities within 24 hours, deploying patches or updates as needed.

Reporting Security Concerns

How do we respond to security vulnerabilities?

• We respond to identified security vulnerabilities within 24 hours, deploying patches or updates as needed.

Do you conduct third-party security assessments?

• Yes, we engage in third-party assessments for SOC 2. 
• Our selected hosting infrastructure providers are fully compliant with ISO 27001 and SOC 2.