Quartet Security Statement

At Quartet, we recognize the highly sensitive nature of data entrusted to us by our partners. We also recognize the regulatory requirements set forth by HIPAA / HITECH and industry best practices and standards (e.g., AICPA Trust Services Principles and ISO27001/ 2) and strive to meet and exceed those requirements. The goal of this Security Statement is to ensure transparency regarding our security practices, and to help reassure you that your data is appropriately protected.

You may report security issues to us at [email protected]

Quartet utilizes Amazon Web Services (“AWS”) in order to take advantage of the elasticity, reliability and security of the AWS Infrastructure as a cloud service.

All data is stored and processed through AWS’ certified-secure facilities:

• AWS hosting facilities are SOC Type 1 & 2 certified and certified to meet ISO standards
• AWS hosting facilities accessible only by biometric scanning
• 24/ 7 monitoring by security guards
• 24/ 7 video surveillance

• The AWS cloud infrastructure meets the requirements of an extensive list of global security standards, including: ISO 27001, SOC, HIPAA / HITECH, FedRAMP and the PCI Data Security Standard.
• Performance and availability metric monitoring tools alert on-call teams for quick detection and triage of application issues.
• Internet-facing services and operating system packages are assessed for security vulnerabilities on a continuous basis.

• Quartet uses encryption and supports TLS for all communication.
• A web application firewall is configured to filter application access in multiple tiers.
• Sensitive data and electronic files are encrypted at rest.
• Quartet extensively monitors application usage from a security perspective and receives near real-time notifications for security events.
• Passwords are stored using a secure hashing algorithm with an industry standard work factor.
• The applications also support multi-factor authentication.
• Web application security is continuously tested using automated tools.

• All Quartet employees are bound by confidentiality agreements and stringent policies regarding HIPAA compliance & data security.
• All Quartet employees receive regular training on HIPAA / HITECH compliance obligations and security best practices.
• Quartet’s Compliance/ Privacy Officer and Chief Information Security Officer oversee the implementation and enforcement of Quartet’s HIPAA privacy, security and other compliance policies.

• Disaster recovery processes are tested on a quarterly basis using automation for data recovery and application restoration.
• DLP (Data Loss Prevention) solutions and data segmentation restrictions are utilized to detect and prevent malicious data exfiltration or accidental data sharing.
• Quartet maintains a security breach response plan to respond to data breaches promptly and effectively.

• 24-hour manned security on-premise with key card access.
• 24-hour video surveillance.
• All workstations enforce full-disk encryption and lock session based on inactivity timeout.
• All workstations have anti-malware software.
• Operating system and software security updates are pushed at regular intervals.
• Web browsing activity is monitored and access to malicious websites is blocked.

• Quartet has undergone a HIPAA Risk Assessment conducted by an external audit firm.
• Quartet is within the reporting period of its SOC-2 certification for the following AICPA TSPs: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
• AICPA Trust Principles and Criteria are mapped to HITRUST CSF controls for dual reporting.
• Quartet applications have passed third-party penetration tests, which are conducted at least on an annual basis.
• Quartet retains external counsel to advise on privacy & security rules and regulations, as well as best practices.