/
Noah ES Data Protection and Security

Noah ES Data Protection and Security


Effective as of Jan 22, 2021, HIMSA II K/S, ("HIMSA") and its subsidiaries, or "we" or "us" or "our") have updated our Noah ES Data Protection and Security Policy.

Overview

HIMSA prioritizes customer trust. We know that Service Data is important to our customers' values and operations. That is why we keep it private and safe. Data covered in this policy:

  • Customer Data - Data about your business

  • Noah ES User Data - Data about the user of Noah ES users that you have set up use Noah ES in your Account

  • Patient Data - Information related to your patients or customers that you provide hearing health care service to
    HIMSA supports customers in over 160 countries and territories. Our customers entrust us with sensitive information.

  • Service Data - Data consisting of Customer Data, Noah ES User Data, and Patient Data

  • Account - Your companies Noah ES Account incorporates the above data, financial, and business agreements.

HIMSA helps customers maintain control of their privacy and data security in the following ways:

  • Data Security We provide our customers with compliance to high-security standards, such as encryption of data in motion over public networks, auditing standards, Distributed Denial of Service ("DDoS") mitigations, and Support.

  • Disclosure of Service Data HIMSA only discloses Service Data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.

  • Trust HIMSA has developed security protections and control processes to help our customers ensure a secure environment for their information. Independent third-party experts have confirmed HIMSA's adherence to industry standards.

  • Data Hosting Locality: Customers have the ability to see the region (from the available HIMSA regional options) where the data center which hosts their Service Data is located.

  • Access Management HIMSA provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining, and improving Noah ES and as otherwise required by law.

  • Third-Party Penetration Tests In addition to our extensive internal scanning and testing program, each year we employ third-party security experts to perform broad security and penetration.


Where will your Patient Data be stored?

HIMSA production systems for Noah ES are located in Microsoft Azure datacenter facilities in:

  • United States

  • Europe

Noah ES Accounts are established in one of these regions based on where the Customer business is located.

Patient Data associate with your Noah ES Account is only stored, processed within the applicable region. For example, if your business is located in Europe your Patient Data will be processed and stored within the EU

Who are HIMSA's sub-processors?

We maintain an up-to-date list of the names and locations of all sub-processors used for hosting or other processing of Service Data.
Noah ES uses certain platform subprocessors, as well as infrastructure suppliers and other third-party business partners, to provide services to its customers.

Company

Purpose

Location

Company

Purpose

Location

Microsoft

HIMSA Makes use of the below Azure Data Center products

  • Azure B2C / For user authentication

  • Azure SQL database / secure storage of Patient Data. Each Account has its own patient database. EU Patient Data is stored within the EU, US Patient Data is stored within the U.S. Australian and New Zealand Patient data is stored in Australia.

  • Azure Kubernetes Service / hosting of Kubernetes cluster service used to manage and orchestrate the Noah ES services and supporting software

United States

Sendgrid

Sendgrid is an email service provider used within Noah ES to send notification emails to Noah ES user accounts. The primary information Sendgrid has access to is the email addresses of recipients of the emails and the content of the emails themselves. The content of the emails contains topics such as instructions and links to set passwords via the Noah ES portal, account activity, business related topics such as monthy or annual charges. Patient data is never process through this service.

United States

Stripe

Stripe provides secure payment processing services. Stripe will have access to personal and credit card information that your company will use to pay for Noah ES services. HIMSA never keeps a copy of your credit card information.

United States

Atlassian

HIMSA makes use of Atlassian’s Jira Service desk application to provide technical support via the Noah ES support portal.

Australia

MongoDB

HIMSA makes use of the Mongo DB Atlas product. The document style database is a hosted service that HIMSA uses to store Customer Data. The service that HIMSA utilizes is implemented within MS Azure data centers matching the customers location, EU = EU data center, U.S. = U.S. datacenter, AU = Australia data center.

The service is not used to process or contain any Patient Data.

United States, Ireland

How does HIMSA respond to legal requests for Service Data?

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Master Subscription Agreement, or as otherwise required by law.

What is a Data Processing Agreement ("DPA")?

HIMSA offers customers a robust Data Processing Agreement ("DPA"), governing the relationship between the customer (acting as a data controller) and HIMSA (acting as a data processor). The DPA facilitates HIMSA's customers' compliance with their obligations under EU data protection law.
Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to HIMSA outside of the European Union by relying on one of the following mechanisms: our Binding Corporate Rules, or Standard Contractual Clauses.

Security


Protecting your information and the information of your customers is extremely important to us.
We combine enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.
We know you have questions about how we're protecting that information, so what follows are details about some frequently requested information.

Data Centers & network security

We ensure the confidentiality and integrity of your data with industry best practices.
We use Microsoft Azure data centers around the world t