Keeping Your Data Secure: Submittable Meets SOC 2 and HIPAA Compliance

10/22/2018

Submittable was designed and built with privacy and security in mind, and our team is committed to building a platform that helps you securely collect submissions without compromising privacy. To that end, we’re pleased to announce two important security benchmarks: SOC 2 Type 1 for the 2017 Trust Services Criteria regarding Common Criteria/Security and HIPAA compliance.

While the user experience within the platform hasn’t changed, here are a few behind-the-scenes reasons these security measures make a difference for your organization and submitters.

What is SOC 2?

SOC 2 is an auditing procedure developed by the American Institute of CPAs (AICPA) and specifically designed for service providers who store customer data in the cloud. It is meant to ensure service providers, like Submittable, put in place well defined policies, procedures, and practices to protect every organization’s data.

SOC 2 is a technical audit, but goes well beyond just ticking the right compliance checkboxes. An outside auditor reviews each organization’s processes and systems to ensure AICPA’s general criteria and its security trust service principle.

So, what does SOC 2 mean for you? Here are a few examples of security measures Submittable has in place:

  • Our developers have established a baseline for normal system activity to assist in identifying suspicious activity. This means Submittable is prepared for known attacks, like phishing schemes, but also for new, unknown threats.
  • Alerts and intrusion detection tools let our team know if unauthorized access does occur, so that response and corrective action can occur quickly.
  • Audit trails lead to the root cause of an attack quickly so we can make quick and informed decisions about how to respond.

All told, Submittable’s team spends considerable time thinking about security and data safety, so that you don’t have to.

What about HIPAA? I thought that was for healthcare.

You’re right; it is. HIPAA is the acronym for the Health Insurance Portability and Accountability Act, or in plain language, it’s U.S. legislation that’s meant to protect individuals’ medical records and personal information.

HIPAA establishes safeguards and best practices that healthcare providers and others must follow to protect the privacy of health data.

While Submittable isn’t a healthcare provider, many of our customers are, or they might need to collect and review healthcare information in some capacity. Being HIPAA compliant means these organizations can use our software with confidence, knowing it meets these regulations and that their users personal health information is safe.

It also means Submittable can sign a HIPAA BAA, or business associate agreement, which is a hybrid contractual and regulatory agreement confirming that both parties satisfy HIPAA regulatory requirements. Contact your Submittable sales rep or account manager, or accountmanagement@submittable.com to learn more about getting a HIPAA BAA.

A few of the other changes we’ve made include:

  • putting safeguards in place to protect patient health information;
  • limiting use and sharing of protected health information to a minimum;
  • updating Submittable’s file viewer so that HIPAA-compliant customers download audio or video, rather than view it in the browser, to meet the law’s requirements;
  • and, adding procedures to limit who can access patient health information, and training programs about how to protect this data.

___

Submittable takes the security of your data seriously. A SOC2 audit and HIPAA compliance are not our most showy or exciting features, and for all but the most stalwart devotees, can be a dizzying and disinteresting topic. But giving you the peace of mind that your organization’s data and submitter’s information is private and secure is another way Submittable is here to make your submission process easier. And that is something to get excited about.

Keriann Strickland

Keriann Strickland manages content and branding for Submittable's marketing team. She's a recovering journalist, mountain lover, and gifted spiller (and speller).