Secure cloud-based web application for modern-day pharmacies
Up-to-date software security controls
Adequate countermeasures are in place to avoid, detect, counteract, and minimize security risks to your patient data within your PharmAssess cloud account. Information security controls are strictly followed to protect the confidentiality, integrity and restriction of information.
Security documentation available upon request.
State-of-the-art cloud service
Industry-leading hosting server, AWS.
CA-1 region (Canada only).
Industry-standard data integrity
Encryption at rest and in transit.
Patient data backed up daily.
Secure login
Two-factor authentication for pharmacies.
Bot protection by Google CAPTCHA v3.
Company-enforced policies
- Personnel training
- Data usage control
- Monitoring access points
Privacy training
Mandatory for all employees starting 08/01/23.
Strict data access and retention policy.
Incident management
Data breach response plan.
Integrated threat detection system.
Verified by 3rd parties
Annual third-party penetration tests.
Monthly vulnerability scans.
Continuous refinement
SOC2 & ISO 27001 certifications in progress.
US HIPAA & EU GDPR compliance pending.
Security Controls
Comprehensive security practices implemented across our organization to protect your patient data and ensure regulatory compliance.
Risk management program established
A documented risk management program is in place covering identification of potential threats, rating risk significance, and mitigation strategies.
Risk assessments performed
Risk assessments are performed at least annually. Threats and changes (environmental, regulatory, technological) are identified and formally assessed, including considerations for fraud.
Company commitments externally communicated
Security commitments are communicated to customers via the Software as a Service Agreement and Privacy Policies.
Third-party agreements established
Written agreements are in place with all vendors and third-parties, including confidentiality and privacy commitments applicable to each entity.
Cybersecurity insurance maintained
Cybersecurity insurance is maintained to mitigate the financial impact of potential business disruptions.
Anti-malware technology utilized
Anti-malware technology is deployed to environments susceptible to malicious attacks, configured to update routinely and installed on all relevant systems.
Employee background checks performed
Background checks are performed on all new employees prior to onboarding.
Security awareness training implemented
Employees are required to complete security awareness training within thirty days of hire and at least annually thereafter.
Confidentiality agreements acknowledged
All employees sign a confidentiality agreement during onboarding; contractors sign at the time of engagement.
Code of Conduct enforced
Employees acknowledge a code of conduct at hire. Violations are subject to disciplinary action in accordance with the disciplinary policy.
MDM system utilized
A mobile device management (MDM) system is in place to centrally manage mobile devices supporting the service.
Access revoked upon termination
Termination checklists ensure that all access is revoked for terminated employees within established SLAs.
Security policies established and reviewed
Information security policies and procedures are documented and reviewed at least annually.
Development lifecycle established
A formal SDLC methodology governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems.
Vulnerabilities scanned and remediated
Host-based vulnerability scans are performed at least monthly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.
Business Continuity and Disaster Recovery plans
A documented BC/DR plan is in place and tested at least annually. Communication plans maintain information security continuity in the event of key personnel unavailability.
Change management procedures enforced
Changes to software and infrastructure are authorized, formally documented, tested, reviewed, and approved prior to production deployment.
Incident response policies established
Security and privacy incident response policies are documented and communicated to authorized users. Incidents are logged, tracked, resolved, and communicated to affected parties.
Access requests required
User access to system components is based on job role and function, or requires a documented access request and manager approval prior to provisioning.
Log management utilized
A log management tool identifies events that may impact the company's ability to achieve its security objectives.
Password policy enforced
Passwords for all in-scope system components must be configured according to the company's security policy requirements.
Vendor management program established
A vendor management program is in place, including a critical third-party vendor inventory, vendor security and privacy requirements, and annual review of critical vendors.
Service infrastructure maintained
Infrastructure is patched routinely and in response to identified vulnerabilities to ensure servers are hardened against security threats.
Intrusion detection system utilized
An intrusion detection system provides continuous monitoring of the network and early detection of potential security breaches.
Remote access MFA enforced
Production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method via an approved encrypted connection.
Production access restricted
Privileged access to the production network, database, OS, and application is restricted to authorized users with a verified business need.
Unique authentication enforced
Authentication to production datastores, network, and applications requires unique usernames/passwords or authorized SSH keys. Shared credentials are prohibited.
Infrastructure performance monitored
An infrastructure monitoring tool monitors systems and performance, generating alerts when predefined thresholds are met.
Network segmentation implemented
The network is segmented to prevent unauthorized access to customer data, with access control policies governing all user provisioning and de-provisioning.
Network firewalls utilized
Firewalls are deployed and configured to prevent unauthorized access. Privileged firewall access is restricted to authorized users with a business need.
Network and system hardening standards maintained
Network and system hardening standards are documented and based on industry best practices. A formal inventory of production system assets is maintained.
Vulnerability and system monitoring procedures established
Formal policies outline requirements for vulnerability management and system monitoring across all IT and engineering functions.
Penetration testing performed
Penetration testing is performed at least annually by a qualified third party. A remediation plan is developed and vulnerabilities are addressed in accordance with SLAs.
System changes externally communicated
Customers are notified of critical system changes that may affect their processing or data handling.
Support system available
An external-facing support system allows users to report system failures, incidents, concerns, and complaints to appropriate personnel.
External support resources available
Guidelines and technical support resources relating to system operations are provided to customers. Security documentation is available upon request.
Data transmission encrypted
Secure data transmission protocols (TLS) encrypt all confidential and sensitive data when transmitted over public networks.
Data encryption at rest
All datastores housing sensitive customer and patient data are encrypted at rest using industry-standard encryption.
Backup processes established
A data backup policy documents requirements for backup and recovery of customer data. Patient data is backed up daily.
Customer data deleted upon leaving
Customer data containing confidential information is purged from the application environment in accordance with best practices when customers leave the service.
Data classification policy established
A data classification policy ensures confidential data is properly secured and restricted to authorized personnel only.
Data retention procedures established
Formal retention and disposal procedures guide the secure retention and disposal of customer data throughout its lifecycle.
Subprocessors
Third-party vendors and services that PharmAssess engages to process customer data as part of delivering the PharmAssess platform.
| Vendor | Purpose | Data Residency |
|---|---|---|
|
Amazon Web Services (AWS)
Infrastructure & Cloud Hosting
|
Primary cloud infrastructure - compute, storage, databases, and networking. Patient data stays within the AWS CA-Central-1 region. | Canada (CA-Central-1) |
|
AWS SES / SNS
Email & SMS Notifications
|
Transactional email and SMS notifications to pharmacists and patients (appointment confirmations, prescription alerts, and system notifications). | Canada & USA |
|
Microsoft Azure
AI & Ancillary Cloud Services
|
Supplementary AI and cloud services supporting clinical decision tools and workflow automation features. | Canada |
|
Documo
Electronic Fax (eFax)
|
Secure electronic fax service for transmitting clinical documents such as prescriptions, referrals, and patient records. | Canada & USA |
|
Google LLC
Bot Protection (reCAPTCHA v3)
|
reCAPTCHA v3 is used on login and registration flows to protect against automated bots and brute-force attacks. No personal health information is shared. | Canada & USA |
|
Dispensing Systems
Pharmacy Management System Integration
|
Integration with licensed Pharmacy Management Systems to synchronize patient profiles, prescription data, and dispense records. | Canada |
|
MedSask
Clinical Guidelines & Therapeutic Content
|
Licensed minor ailment treatment guidelines and evidence-based therapeutic recommendations displayed within the PharmAssess clinical platform. | Canada |
|
HQ3
Pharmacy Data Integration
|
Data integration services connecting PharmAssess with pharmacy workflow systems and third-party data sources. | Canada |
This list reflects active subprocessors as of May 2026. PharmAssess will provide advance notice of material changes to this list. For questions, contact info@pharmassess.ca.