MERFi Support Hub

User Guide | Security Overview | FAQs | Contact

< All Topics

Compliance & Policies

  • The MERFi platform is HIPAA compliant
  • All GCP access accounts use multi-factor authentication in addition to a strong password
  • Production server credentials are not committed to code; they are provisioned on build server and stored securely
  • All database queries are properly escaped at database abstraction object/service level, even if query data comes from a hard-coded string, constant, or other trusted source
  • API secret keys are not checked in to code repository
  • MFA shared secrets are not checked in to code repository
  • Any other key, password, or protected values are not checked in to code repository
  • Production database and other non-public servers access is restricted to production servers (no public IP address for servers)
  • Production servers can only be accessed through an HTTPS/SSL protocol (port 443) and TLS
  • Server logs are sanitized of patient data to prevent information leakage
  • Server logs are secured on servers, and access is restricted as strongly as any other data
  • Access to production server is heavily restricted and requires temporary, fully logged permissions for specific timeframes to prevent internal leaks