noink

To provide a clinical grade tracking system for you and your family that can also allow the data to assist life sciences, we take your privacy and security very seriously. We fully recognise and agree with the principles of information security standards and objectives as set out by legislative frameworks such as HIPPA, GDPR and The Data Protection Act 2018 in the UK. The noink platform is registered as a data controller with the UK Information Commissioner (ico.org.uk/). noink protects your privacy in compliance with regulations in the following ways:

• Data controller - noink is a data controller and not a data processor. We provide you with the means to create and store your health data in a structured way. This structured data can assist life sciences with your consent; but fundamentally we do not monitor your usage of the platform, we do not process your data and most importantly we do not sell your data to third parties.
• PII - Regulation around the use of health data is very clear on how Personally Identifiable Information (PII) must be managed. In noink, such PII data is stored separately from the health notes you create as a matter of course and given extra layers of protection.
• Social media - noink is not a social media platform so we are not using our userbase as an advertising opportunity for 3rd parties. We carefully monitor account signups to ensure that fake accounts are never created. To further ensure that fake accounts do not get into the noink platform, we maintain a database of known disposable email accounts and spamming domains. Atteppted signups from such accounts are never allowed. We believe the level of fake accounts on social media platforms is unacceptable for a healthcare setting, so we do not allow people to sign up to the system using social media accounts.
• User Authentication - Access to noink is via a password that only you know. We store a hash of the password never the password itself. As we do not know you password, we can only reset it at your request, not tell you what is actually is. Upon user creation we set up a default password that MUST be changed upon first login. This guarantees that nobody supporting the noink system knows your password. We also recommend that you change you password regularly and make it easy to do so. We do not allow keep me logged in functionality as this can expose passwords. The only cookie we allow you to store on the system is your account login details, never your password. As noink is multi-user, the account holder has full control over creating, deleting and amending the rights of any trusted people you may want to add to your account. These members of you noink account can be created, deleted or disables at the push of a button.
• Access to data - As it is your data you can access ALL of it at any time. noink gives you the ability to download your entire dataset at any time. You can easily delete or edit any health notes you create.
• User consent - At noink we would love for you to share your data with life science organisations but that choice is determined by you and how you were onboarded onto noink. At all times you have to give your consent for your data to be shared. You can set time limits on the sharing and very fine grain control over what is to be shared. By default you are opted out of this and have to actively opt in to data sharing via our informed consent mechanisms. The data is also redacted by default (to remove PII) when sharing, but you have the ability to share in full (unredacted) if you so wish.

To achieve this level of privacy and protection we require for your health data, the noink platform has been architected with many security conscious features. Our technical goal is to provide security in depth and minimise the attack surface of all data stored for you. These features include, but are not limited to:

• Decentralisation of data - We do not store all our user’s data in a single location, data centre or region. We have multiple locations. This means any single attack on our systems will at most be on a much smaller number of users than if we stored everything centrally.
• Cloud & data centre agnostic - We do not host our platforms on a single cloud provider and we remain rigorously vendor neutral. While this limits our exposure to cloud provider outages, it also allow us to operate in areas not served by them. The noink platform is hosted in many data centres all of which must comply with "Tier-3" levels of technical redundancy. Tier-3 datacentres are expected to have an uptime of 99.98% (~96 minutes of downtime a year) with in-built redundant power and colling systems.
• Regular backups of data - We backup your data regularly and our RTO & RPO is set accordingly. RTO is the Recovery Time Objective which defines how long we expect to take to recover in the event of an outage. Currently this is 4 hours. RPO is the Recovery Point Objective and is at what point we should be able to recover any data from backup. Currently this is last full day of data. For added security, all backups of your data are stored in a different location from where your working data resides.
• Encryption - Like many clinical grade systems we employ encryption in both in the transmission (data entry and retrieval) and encryption at rest (storage of data). We use the strongest security key possible in our encryption. Any data sharing you allow from noink is via API is through the use of strong encryption key tokens to 3rd parties you allow. These access tokens are themselves time limited and have to be renewed regularly.
• User Management - The platform gives you a complete audit trail of who logged onto your noink and when. You can remove and add users at any time. noink gives you full control of who can access your data.
• Active security monitoring - Any method that allows the entry of data into a computer system is also an opportunity to attack the system. noink therefore scans input for known attacks such as SQL injection, cross-site scripting and URL manipulation to name but a few; before the data is stored. This is to protect you data at all costs.
• Regular security Audits - To make sure our systems are performing to their best, we regularly perform security scans and penetration tests on our infrastructure. All components of the platform are regularly updated to the latest security patch levels in line with industry best practice.