Security
We are fully HIPAA compliant and our payments infrastructure is PCI Level 1 compliantāyour clients payment, package, and other data are safeguarded with enterprise-grade security.
Hosting & Deployment
Exercise.com is hosted as an application in Google Cloud Platform (GCP) in the USA, Canada, the EU, the United Kingdom, and Australia. We also utilize Amazon Web Services (AWS) to serve some assets. These Google and Amazon facilities hold all major security and data privacy accreditations, including SOC1 ā SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, and FIPS 140-2.
The physical access to servers in the data centers are restricted to authorized Google and Amazon personnel. Exercise.com employees have no physical access to the servers. We don’t host any on-premise infrastructure and we require two-factor authentication for all employees that work with internal systems (code repositories, build systems, cloud providers, etc.). We apply the āleast privilegeā model meaning we assign access to employees based on the absolute least access someone needs to be able to perform their duties.
Exercise.com engages a 3rd-party cybersecurity company to conduct regular penetration tests, no less than annually, and to evaluate and prescribe accordance with all HIPAA compliance standards and industry security best practices.
Storage & Encryption
All customer data is always encrypted, in transit and at rest. We use an up to date TLS 1.x protocol for all control communications, including data transfer between components, to ensure all traffic is encrypted. For data at rest, we use AES 256-bit, one of the most secure encryption protocols.
Backup & Resiliency
Exercise.com services are deployed using industry best practices. High availability and disaster recovery is built-in into our cloud architecture. In case of a component failure, the platform launches additional instances and redirects the load.
Exercise.com’s backup policies and procedures outline the critical resources, including the databases, that are backed-up automatically to enable recovery needed to meet our SLAs. All production data is being replicated automatically to a separate infrastructure. Exercise.com tests its data recovery plan continuously.
Sub-Processors
We limit the extent of data sharing with our sub-processors to the degree that is minimally necessary to provide our service and make sure that all the technology providers that we use:
- Pass regular security reviews and audits;
- Comply with data protection and privacy regulations (SOC 2 and/or ISO 27001);
- Have good reputation (publicly listed or private companies with reputable backers).
We encrypt (see Encryption & Access Control) all customer data stored in our infrastructure providers’ (GCP and AWS) data centers in transit and at rest. We share only limited information with Stripe, necessary to manage subscriptions, invoice and process payments (including customers’ billing addresses, contact details and bank account details). We use customer relations management software, HubSpot, Salesforce, and Salesloft, to automate the communication with customers and to store customer contacts in their systems.
Sub-Processor | Description | HQ Location |
---|---|---|
Alphabet Inc. | Google Cloud Platform (GCP) offered by Google is a cloud computing service. GCP is compliant with SOC 1/2/3, ISO/IEC 27001, PCI DSS and other major security regulations. We use GCP to host its application, as well as to store the backup data using encrypted geo-redundant cloud storage. | Mountain View, CA |
Amazon.com, Inc. | Amazon Web Services (AWS) is a subsidiary of Amazon providing an on-demand cloud computing service. AWS is compliant with SOC 1/2/3, ISO/IEC 27001, PCI DSS and other major security regulations. We use Amazon Web Service to host certain assets in our application, and store the backup data using encrypted geo-redundant cloud storage. | Seattle, WA |
Stripe, Inc. | Stripe offers payment processing and anti-fraud tools which we use to accept payments from customers, manage subscriptions, and perform transaction reporting. Stripe is certified as a PCI Level 1 Service Provider, which is the most stringent level of certification available in the payments industry. | San Francisco, CA |
HubSpot, Inc. | HubSpot provides tools for customer relationship management (CRM), social media marketing, lead generation and web analytics. It has TRUSTe certification for Enterprise Privacy and its IT is audited as part of the Sarbanes Oxley compliance. We use HubSpot CRM and analytics tools to manage and automate our sales processes. | Cambridge, MA |
Salesforce, Inc. | Salesforce, Inc. is an American cloud-based software company headquartered in San Francisco, California. It provides customer relationship management software and applications focused on sales, customer service, marketing automation, analytics, and application development. | San Francisco, CA |
Salesloft | Salesloft is a sales engagement platform. The company was founded in September 2011. Though its original product offering focused on sales development, the company has since expanded its platform to offer functionality for the entire sales organization. | Atlanta, GA |
Compliance
Exercise.com complies with all major industry regulations and is HIPAA and GDPR compliant. For customers that process Protected Health Information (PHI) and Personally Identifiable Information (PII) we will sign a Business Associate Agreement (please visit here for the HIPAA Business Associate Agreement). The General Data Protection Regulation (GDPR) regulates data protection in the European Union (EU) and the European Economic Area (EEA). Exercise.com is compliant with GDPR. We have a Data Protection Officer who can be reached by contacting us.
Transparency Report
As of December 15, 2022, Exercise.com has not received any law enforcement or government information requests. Exercise.com has not built backdoors for any government into our services.
The following summary covers 2022 calendar year through 12-15-2022:
Category of Request | Total Requests | Challenged, No Data Disclosed | Completed, Data Disclosed | ||||
---|---|---|---|---|---|---|---|
U.S. Requests | |||||||
Court Orders | 0 | 0 | 0 | ||||
National Security Requests | 0 | 0 | 0 | ||||
Search Warrants | 0 | 0 | 0 | ||||
Subpoenas | 0 | 0 | 0 | ||||
Non-U.S. Requests | |||||||
All Non-U.S. Countries | 0 | 0 | 0 |
Additional Information
For more information, please visit the following pages: