Data Security

ISO 27001 Certified

The Midaxo information security management system (Midaxo ISMS) meets the international ISO/IEC 27001:2013 standard. As of April 2016, Midaxo was certified compliant by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) after successful completion of a formal compliance audit. ISO 27001 is an internationally recognized security management standard that specifies security management best practices and comprehensive security controls.

Midaxo was recently audited by KPMG IT Certification Ltd and passed the recertification audit on April 6, 2019. 

 Download Certificate

NIXU Certified

The Midaxo Platform service has an Information Security attestation issued by Nixu Ltd., the largest independent information security expert services company in the Nordics. The attestation process verifies that the Midaxo Platform architecture and software are designed, implemented, and maintained securely. Nixu Ltd. performs an annual security audit to maintain the Nixu Information Security attestation. Besides Nixu Ltd., other independent third-party auditors regularly audit Midaxo Platform’s security.

In addition, customers have audited Midaxo Platform. Midaxo offers customers the opportunity to perform security audits and penetration testing of their own with a test instance with the same architecture as in Midaxo Platform.

Download Attestation

Cloud Security Alliance (CSA) STAR

We are participating in CSA STAR's security assurance program on the Self-assessment-level. CSA STAR provides a meta-matrix of cloud-specific security controls that are mapped to several standards, best practices and regulations. We feel that by making this information about our security practices public, we’re readily providing answers to such questions that you would likely ask us anyway, and we’re also promoting industry transparency in general. If we haven’t stated our compliance to your preferred standard or practice, there is a good chance that our filled Consensus Assessments Initiative Questionnaire (CAIQ) will contain answers to your key concerns about our security practices.

GDPR

What is GDPR?

Starting May 25, 2018, the EU General Data Protection Regulation (GDPR) has replaced the Data Protection Directive 95/46/EC. The new law is expected to harmonize data privacy laws across Europe to protect personal data of all EU citizens. It aims to reshape the way organizations within the EU region – and outside – approach data privacy. The purpose of the GDPR is to protect all EU citizens from privacy and data breaches. More information about the new regulation can be found here.

GDPR and Midaxo

At Midaxo, customer data protection is our top priority. The technical implementation of Midaxo platform is designed to meet strict data security regulations. As data controller, Midaxo customers have complete ownership of the data. Midaxo platform enables data controllers by empowering the customer users to keep personal data secure, up-to-date and provide rights to their own personal data. Midaxo platform architecture is based on the fundamental principles of ‘Privacy by Design’ and ‘Privacy by Default.’ In nutshell – be at ease, Midaxo platform is fully compliant with GDPR

As an organization, Midaxo has evaluated new restrictions which the GDPR will impose along with subject matter experts in Europe. We have identified the areas within the company and have taken the necessary steps to ensure compliance with the law. Midaxo Data Processing Agreement (DPA) is available upon request. If you have any questions, please feel free to contact us.

For more information, read our article - GDPR Compliance: New Rules for M&A.

HIPAA Statement

The Health Insurance Portability and Accountability Act (HIPAA) of United States law mandates requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to hospitals and other healthcare companies that have access to patients’ protected health information (PHI), and it also applies to their business associates that can access PHI.

The scope of HIPAA was extended by HITECH, the Health Information Technology for Economic and Clinical Health Act in the United States. The relevant HITECH requirements are included in the HIPAA Omnibus rule.

HIPAA requires that the covered entities and their business associates sign Business Associate Agreements (BAA). Once the BAA is signed between Midaxo as a business associate and a customer covered in HIPAA, the customer can store and process PHI in Midaxo applications and services that are covered in the BAA.

There is no official certification for the Omnibus HIPAA compliance. However, the Midaxo services covered under the BAA have been audited and are included in Midaxo ISO/IEC 27001 certification.

Midaxo fulfills the HIPAA and HITECH compliance requirements for business associates. In particular, Midaxo fulfills the general, administrative, physical, technical, and organizational requirements and has appropriate policies and procedures for business associates in compliance with Omnibus HIPAA, as stated in HIPAA §164.306 - §164.318.

It should be noted that, while Midaxo ensures the confidentiality, integrity, and availability of all customer data within our service, we also give broad usage rights for the administrative users of our customers for their own data.

Even though Midaxo takes every precaution to appropriately protect the data, it is possible for our customers to manage the data within their own account in Midaxo in such a way that would jeopardize their compliance with HIPAA. To help our customers to maintain their HIPAA compliancy while using Midaxo, here are some procedures and precautions that should be considered:

• Permanent deletions. Midaxo gives a choice for the customer administrators to either archive or permanently delete data. We recommend for our HIPAA-covered customers not to use the permanent delete option.
• Sharing Data. Midaxo offers strong access controls and permission management. To maintain HIPAA compliancy, the customer administrators should only share data as appropriate, according to HIPAA requirements.
• Saving PHI data. Even though we are Omnibus HIPAA-compliant, we recommend considering whether there really is a need to store PHI data to Midaxo.
• Audit log. We provide customer-specific audit logs for customer administrators, should you need to present system activity data while you are being audited.