Rocket Referrals leverages Amazon Web Services (AWS) for its networking, computing and storage infrastructure. AWS provides Rocket Referrals with world-class protection through multiple levels including Physical, Network, Host, Software, and User Account Security.

AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). AWS undergoes annual SOC 1 audits and has been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for Department of Defense (DoD) systems.

For detailed information regarding AWS security please reference Amazon Web Services: Overview of Security Processes.

In addition, Rocket Referrals only leverages AWS services which are deemed HIPAA-eligible. As of July 8th 2015 the AWS "HIPAA-eligible" services include: Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon Elastic MapReduce (EMR), Amazon Elastic Load Balancer (ELB), Amazon Glacier, Amazon Relational Database Service (RDS) \[MySQL and Oracle engines\], Amazon Redshift, and Amazon S3.

Within a reasonable time frame from the discovery of any breach and its investigation Rocket Referrals will inform you that a breach has occurred and the potential information that may have been accessed.

Additional Policies

Unused services are disabled and software updates are applied on a regular basis.
Rocket Referrals regularly reviews information on current security vulnerabilities, including vendor announcements and other industry sources. If security updates are determined to be critical to the Rocket Referrals environment, they are thoroughly tested and deployed in a timely manner.
All services and servers are routinely monitored for integrity and availability. We review all alerts generated by monitoring systems, and respond promptly.
Administrative access to Rocket Referrals infrastructure is limited to strictly authorized users.
Strong password guidelines are in place, including complexity and minimum length requirements. Passwords expire and require to be changed on a regular basis.
All internally developed software is subject to a strict Quality Assurance (QA) program, including extensive testing of functionality. Strong change control processes are in place to ensure that all code deployed to the production environment has been appropriately reviewed.