SARA is a cloud-based application residing on the AWS GovCloud, only available to U.S. entities that can meet AWS’s stringent security requirements for government-related applications.
SARA is HIPPA Certified, meaning that your staff can safely communicate personal medical information via SARA.
One way to evaluate the security of a site is to scan the vulnerability of the site and its SSL certificate. Qualsys SSL Labs has a service that allows for in-depth analysis:
This site rates Amazon.com and Microsoft.com as a B. The Career Index Corporation’s VA implementation rates the highest A+ score.
The REST API and Windows service for data transfer between SARA and your agency CMS are located behind the SARA firewall and respond to incoming data requests only. The Career Index Corporation provides a utility to be installed behind the agency's firewall. The provided Windows service application needs access to a data store used for staging data to be transferred from SARA to the CMS and vice versa (SARA data is never uploaded directly to the agency CMS). The utility is fired by a scheduled task controlled by the agency. When fired, it connects with the SARA API using an encrypted HTTPS protocol. Part of the transmission is a user ID and encrypted password. The SARA API compares the user ID, decrypted password, and IP address of data stored for the utility communicating with it. The communication is allowed only if all values match.
In terms of Personally Identifiable Information (PII), SARA only stores first and last name, email address, and cell phone number — information that is available in public directories. SARA does not use SSN, date of birth, or store the client’s physical address.
PII data is stored encrypted using 256-bit encryption algorithms both in transit and while at rest.