Faro Trust Center

Overview

Faro Health maintains a best-in-class information security and compliance program to ensure continuous compliance with all customer requirements and applicable laws. Leveraging a compliance management system, Faro Health tracks security, privacy, and regulatory controls to ensure that the expected level of customer trust is met or exceeded. This page focuses on the high-level capabilities and structure of how Faro Health approaches information security and compliance.

Security, Privacy and Compliance

Standards and Best Practices

The list below states the compliance, regulatory, and best practices that Faro Health’s Information Security and Compliance program actively tracks against to ensure that customers can maintain their compliance when using Faro Health solutions.

  • Service Organization Control 2 (SOC 2) Type II
  • ISO 9001:2015 – Quality Management Systems
  • ISO 27001:2022 – Information Security Management Systems

Faro Health has designed internal process leveraging the following best practices within its security program:

  • NIST SP 800-18 – Developing Security Plans for Federal Information Systems
  • NIST SP 800-34 – Contingency Planning Guide
  • NIST SP 800-37 – Risk Management Framework
  • NIST SP 800-39 – Managing Information Security Risk
  • NIST SP 800-43 – Guide to Enterprise Patch Management
  • NIST SP 800-53 r5.1 – Security and Privacy Controls for Information Systems and Organizations
  • NIST SP 800-61 – Incident Management
  • NIST SP 800-84 – Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
  • NIST SP 800-137 – Continuous Monitoring
  • ISO 27002:2022 – Information Security Controls

Certifications

Faro Health partners with third party auditors to perform a SOC 2 Type II audit annually with a focus on the security, confidentiality, and availability of Faro Health products and their underlying infrastructure.

Personnel Security

Faro Health ensures that it only hires qualified applicants by performing comprehensive background checks. On an annual basis, all employees receive security, privacy, and regulatory training commensurate with their role at Faro Health to ensure the appropriate handling of all data and the facilitation of secure process and data handling. All Faro Health personnel must agree to Faro Health policies before gaining access to sensitive data including policies that cover non-disclosure, confidentiality, security, and acceptable use.

Quality Management System

Faro Health maintains a Quality Management System (QMS) based on ISO 9001:2015 standards for all product development to ensure that products meet the level of quality expected from customers and any non-conformance is remediated in a timely fashion.

Data Privacy

The only personally identifiable information (PII) present on Faro Health products is the minimum necessary to provide access to platform users. Faro Health’s privacy program aligns to GDPR requirements for data subject rights and any requests related to GDPR can be related to the customer point of contact.

Protecting Data

Data Tenancy and Separation of Customer Data

Faro Health ensures that each customer’s data is secure and segmented from other customers. For any customer in Faro Faro Health ensures that each customer’s data is secure and segmented from other customers. For any customer in Faro Health’s multi-tenant environments, customer data is logically separated at the database/datastore level.

Data Durability

At Faro Health we ensure that all customer data is protected in case the unexpected happens. All customer data is stored within Faro Health’s cloud provider on a storage infrastructure that is designed to provide a high level of durability ensuring that any data created on the Faro Health Study Designer platform is protected.

Backups

Faro Health performs automatic backups of all customer data to protect against loss due to unforeseen events. Data is backed up to multiple redundant datacenters and backups are monitored by the Faro Health Global Operations Center to ensure a continuous level of data protection.

Encryption

Faro Health leverages industry standard encryption for all communications and customer data including data at rest, and in motion. For data at rest, Faro Health leverages FIPS 140-2 compliant AES256-CBC encryption or greater. For all data in motion, Faro Health leverages TLS 1.2 or greater protocols.

Product Security

Vulnerability Management

Faro Health maintains an active vulnerability management program for reviewing vulnerabilities in developed code, third party software, and Faro Health’s product infrastructure. While Faro Health does not have a bug bounty program in place, external parties can notify security@farohealth.com for any externally discovered vulnerabilities. Invasive testing of Faro Health systems is not permitted without explicit written approval. 

Application Security

Faro Health leverages industry standard technologies to protect its product infrastructures to protect against external threats such as SQL Injection, cross-site-scripting, man-in-the-middle and others including all attacks identified by the OWASP Top 10. All dependencies within Faro Health’s supply chain are monitored to ensure the foundation of all Faro Health products is a secure one. 

Incident Response

Faro Health’s Global Operations Center actively monitors Faro Health’s infrastructure from both an operational and security perspective to ensure the confidentiality, integrity, and availability of Faro Health products and any customer data stored within. All platform traffic and authentication is actively monitored leveraging automation coupled with a strongly documented process to ensure that any malicious activity is detected and responded to in a timely manner.

Third Party Software Reviews

All software used within Faro Health platforms is reviewed at least annually to ensure it aligns with the security, privacy, and regulatory requirements expected from Faro Health customers. Any subprocessors leveraged by Faro Health products go through a stringent review process which includes customer notification.

Disaster Recovery and Business Continuity

In order to support its recovery time and recovery point objectives on its products, Faro Health maintains a Disaster Recovery and Business Continuity Plan (DR/BCP) for which it performs testing and training on at least an annual basis. Any deviations discovered in testing are documented and used to continuously improve the process.

Third Party Security Testing

Faro Health ensures that we validate the effectiveness of its security program by engaging a third party to test the security of Faro Health products on at least an annual basis and ingesting any findings into Faro Health’s vulnerability management program.

Access Controls

Authentication

Faro Health leverages industry standard authentication modules for customer authentication and single-sign-on allowing customers to manage platform users through their own authentication system as well as require multi-factor authentication. 

Least Access Privilege

Faro Health personnel that support the product infrastructure do not have default access to customer data and must initiate a “break the glass” procedure in order to gain access which requires approval and a level of review after the process. All Faro Health access to product infrastructure is designed using the zero trust model and only grants the least required amount of access at any given time.

Auditing

Access to the Faro Health platform is continuously audited and monitored for any abnormal activity. Audit logs are immutable which ensures that there is a holistic audit trail of access to the platform and its underlying infrastructure.