Summary
We've listed details about our data security below. In summary, Active911 takes data security seriously and your data is quite safe with us. However, we are not set up to deal with HIPAA data; please do not use your Active911 account for anything requiring HIPAA controls at this time.
DO use us to transmit CAD data. We have adopted "reasonable safeguards" as required under the HIPAA Privacy Rule, 45 CFR 164.502(a)(1)(iii) and are covered under the Privacy Rule's Incidental Disclosures clause when used as part of a reasonable CAD dispatch chain.
DO NOT use Active911 to transmit detailed private medical histories and statements of the kind that are not usually transmitted over radio channels to first responders.
Our safeguards
Our web interface uses 256 bit TLS encryption
iOS apps use 256 bit TLS encryption for data transfers
Database-to-database transfers (for the CDN server network) are encrypted
All passwords are SHA hashed
All Active911 personnel with access to the data have passed criminal background checks
Datacenters
We use multiple data centers. Our primary data center is SAS-70 Type II / SSAE-16 Certified, located in the heart of downtown Dallas, TX. It is in a Tier 3+ facility on the same protected power grid as Dallas 911 and the local hospitals. Power is sent to the data center from four different substations, requiring all four substations to go offline before power to the building is interrupted. Additionally, the data center is serviced by water feeds from the north and south of the building.
24/7/365 on site security
Card access required to gain access to parking and building lobby, biometric hand scanner required for data center entry
Annual SSAE 16 & PCI-DSS Audits
Multiple 360 degree cameras with 10x zoom, high speed recorders with DV cassette tapes, hard drives to eliminate down time for tape swaps and over recording
True A+B (2N) power configurations
2(N+2) Transformers and feeds
All UPS and Generator deployments provide (2N) redundancy
Entire cooling system is designed with at least N+1 redundancy
Multiple utility feeds from the CBD grid
Feeds to building are concrete encased
80,000 gallon reserve make-up water tank
We also utilize a smaller Oregon datacenter for geographic diversity and redundancy.
Details
A sample of typical data sent through our system looks like this:
CAR CRASH / 3133 Willow LN / XST: Ash DR / two vehicles are in the ditch
This type of information is usually considered either "public" (since it is already available to scanner listeners and anyone who wants to make a FIAA inquiry into station logbooks) or an "incidental disclosure" under HIPAA.
For more information, see HIPAA: The Intersection of Patient Privacy with Emergency Dispatch
We don't share your data with others, except as needed for technical reasons. We also allow Cadpage to use a small selection of your pages for the purpose of programming the parser (server software) to interpret your particular message format, and related technical tasks. We may use the data in a very general way for statistics generation ("there were 2,156 car accidents in the USA today") but we will keep your information private.
Cadpage has historically released their code as Open Source Software and as such have included sample pages along with their code. However, these sample pages would be limited to a selection that they used for programming; they attempt to make the data not easily readable; and in any case we are working to create a native Active911 parser where this is no longer necessary. In the meantime, if this is a problem, let us know and we will ask that they remove any sample pages from the code.