Effortless Admin (“EA”) is an administrator of employee benefit plans for Canadian employers of all sizes. EA focuses on pairing powerful software with great people to eliminate administration headaches and give their clients a competitive advantage. They also empower Canadian insurance brokers with a suite of state-of-the-art consulting tools that gives their broker partners the control and insight they need to effectively keep their fingers on the pulse of a plan’s performance.
For more information about EA and their value proposition, please visit www.effortlessadmin.com
EA is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. As providers of compliant, hosted infrastructure used by employers and Third Party Administrators (TPAs), EA strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and ensure known breaches are completely and effectively communicated in a timely manner. The following addresses core policies used by EA to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for EA Customers.
SaaS Customers utilize hosted software and infrastructure from EA to run their TPA business. These customers are deployed into compliant containers run on systems secured and managed by EA. EA does not have insight or access into application level data of SaaS Customers and, as such, does not have the ability to secure or manage risk associated with application level vulnerabilities and security weaknesses. EA makes every effort to reduce the risk of unauthorized disclosure, access, and/or breach of SaaS Customer data through network (firewalls, dedicated IP spaces, etc) and server settings (encryption at rest and in transit, OSSEC throughout the Platform, etc).
EA signs agreements with its Customers. These agreements outline EA obligations and Customer obligations, as well as liability in the case of a breach. In providing infrastructure and managing security configurations that are a part of the technology requirements that exist in PIPEDA as well as future compliance frameworks, EA manages various aspects of compliance for Customers. The aspects of compliance that EA manages for Customers are inherited by Customers, and EA assumes the risk associated with those aspects of compliance. In doing so, EA helps Customers achieve and maintain compliance, as well as mitigates Customer’s risk.
The physical infrastructure environment is hosted at Peer1. The network components and supporting network infrastructure are contained within the Peer1 infrastructures and managed by Peer1. EA does not have physical access into the network components. The EA environment consists of firewalls, web servers and Microsoft SQL database servers.
Within the EA Platform on Peer1, all data transmission is encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers, databases, APIs, log servers, etc. EA assumes all data may contain ePHI, even though our Risk Assessment does not indicate this is the case, and provides appropriate protections based on that assumption.
In the case of SaaS Customers, it is the responsibility of the Customer to restrict, secure, and assure the privacy of all ePHI data at the Application Level, as this is not under the control or purview of EA.
EA has implemented strict logical access controls so that only authorized personnel are given access to the internal management servers. The environment is configured so that data is transmitted from the load balancers to the application servers over a TLS encrypted session.
The web servers are externally facing and accessible via the Internet on predefined ports. The database servers, where the ePHI resides, are located on an internal network and can only be accessed through a VPN connection. Access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business-justified reason.
All Platform features and operating systems are tested end-to-end for usability, security, and impact prior to deployment to production.
EA, at its sole discretion, shares audit reports with customers on a case by case basis. All audit reports are shared under explicit NDA in EA format between EA and party to receive materials. Audit reports can be requested by EA workforce members for Customers or directly by EA Customers.
The following process is used to request audit reports:
Refer to the GitHub repository (https://github.com/EffortlessDev/policies) for the full version history of these policies.
