agencyEZ Security

Our platform is a highly-secured, private-cloud environment in Amazon Web Services (AWS) with 24-hour, 7-day-a-week access for employees, employers, agencies, and carriers.

Why agencyEZ benefits technology

How we keep our platform and customers secure.

The application’s security is built using a comprehensive proprietary framework that is weaved into the underlying Server Security Infrastructure. Our security architecture uses a stateless model that provides a number of information services in the form of secured API. These services help implicitly understand the user identity, guarantee that only the right set of data (records and fields) are available to the right set of users.

agencyEZ’s application software infrastructure follows Amazon’s recommended guidelines for HIPAA compliant applications. Key application infrastructure servers (e.g. database server, cache server, application, etc.) are hosted in a VPC environment with no visibility to the public Internet. These servers are supported with a Bastion server for any administrative access that requires the use of a private key file. We enforce restricted direct access to these servers. The servers are further protected by Web Application Firewall with rules as per OWASP guidelines to prevent security threats such as DDoS attacks or application security attacks.

agencyEZ’s administrative AWS accounts are subject to multi-factor authentication each time through Google Authenticator on iPhone. Development and productions sites are maintained in independent AWS accounts.

Learn more about our platform’s security.

5

Site Registration

Site Registration allows users to set their authentication credentials to the site. Admin users can register through an authorized link in an invite email initiated by another admin.

Employee users can register similarly through an authorized link in an invite email sent by the employer or agency admin or alternately self-identify themselves directly on an employer-specific registration page. Wherever permitted, employees can use third-party social authentication sites to log in to agencyEZ.

5

Site Access Recovery

Site Access Recovery allows users to reset their site login or password through an authorization code received in their mobile phone or email. Authorization codes expire based on time limits.

A user account is locked out after a finite number of unsuccessful attempts to the site.

All site access is logged and a history of user access is available as a report.

5

Site Authentication

Site Authentication is universal to all types of users through a central login page. Users can opt for Multi-Factor Authentication (MFA) in which case they are required to secondarily authenticate every 30 days or whenever they change the device or the browser. An employer can force all admin users or all employee users to use MFA.

Generally, we insist and enable MFA for all admin users of carriers, agencies, and employers.

agencyEZ uses the encrypted JWT (JWE) token method after the initial authentication and every resource access call to the server is authenticated. The JWE token expires every 20 minutes and the agencyEZ browser application automatically obtains an updated token. The system will auto log out due to inactivity that extends 10 minutes.

5

Password Maintainence

Password Maintenance stores the user passwords using the highest-level of encryption standards and the encrypted passwords are non-reversible. User-defined passwords must adhere per password policy.

In addition, an admin user can attach a password to protect downloadable Excel reports.

Loading...