Torq Security Practices Overview

PLATFORM AND INTEGRATION SECURITY

The Torq Interface platform is built using industry best practices in encryption, data protection, and defense in depth.

  • Hospital data integrations are encrypted according to HIPAA-compliant NIST standards to protect client data.

  • Application code runs securely in Kubernetes Docker containers hosted on DigitalOcean, one of the premier infrastructure providers. Security updates are automatically included in every deployment.

  • Kubernetes and our database reside in a private VPC subnet with outside access restricted to multifactor-auth VPN nodes and secure platform load balancers.

  • Databases are encrypted at rest with AES-256 LUKS. In all cases, the usage of potentially sensitive data is minimized and the principle of least privilege is applied to access.

  • All hospital integrations are encrypted and secured according to the method, including but not limited to HL7, FHIR, direct database connections, HTTPS, and SFTP integration options. 

MONITORING & INTRUSION DETECTION

The Torq Interface platform is heavily logged and monitored for both stability and intrusion detection. Access logs are maintained and analyzed for issues. KPIs are generated and monitored for performance, integration activity, and security signals. Upon detection, team members are immediately alerted to any activity outside of normal bounds.

3rd party scans are regularly performed to detect potential vulnerabilities in containers and application dependencies, which are then addressed.

MANUAL PENETRATION TESTING

The independent security company Breachlock performs periodic manual penetration testing to certify Torq security.  Torq addresses any issues that are discovered immediately. Automated scans are performed continuously to detect  any security regressions or new vulnerabilities.

OPERATIONAL SECURITY

Torq Interface staff are required to comply with the Torq security and acceptable use policies before accessing protected systems and data. This includes security training, multi-factor authentication on all applicable systems, strong passwords, and using secure SSO on all applicable systems.

APPLICATION SECURITY

Torq applications are designed to run securely in Apple iOS, Android, and Google Chrome. All applications are appropriately signed and communicate with platform servers securely via SSL. Authentication and authorization are performed using securely signed JWTs.

BUSINESS CONTINUITY & DISASTER RECOVERY

Torq Interface maintains regularly reviewed processes to minimize downtime and gracefully recover from events both large and small. 

Small, expected events such as container or database failures are configured for automatic failover. 

Large events such as zonal or regional host infrastructure failures are planned for with infrastructure-as-code letting us manually fail over to different regions or even different platforms with minimal downtime. Databases are backed up offsite daily with write-ahead logs providing point-in-time recovery capabilities.

SOC 2

Torq Interface maintains a SOC 2 certification since February 2023. The SOC 2 report can be provided upon request by emailing sales@torqinterface.com

ISSUE MANAGEMENT

Torq Interface is committed to security and is continually working on enhancements as technology and our infrastructure evolves. If you have any questions about our security measures or technology, please contact us at help@torqinterface.com.