What audits or certifications are available for Beacon?
​

Beacon uses an Expert Determination de-identification process for PHI/ePHI. Beacon completed an external, third-party penetration test. Finally, active SOC 1, Type 1 and a SOC 2, Type 1 audits are in progress. Once completed, Type 2 observation periods will commence for both.
​

How often is data backed up and for how long?
​
Beacon data backups are managed by Azure. This operates in a high-availability pair configuration with replicas in a second operational zone. This supports automated backups with weekly snapshots, incremental backups every 4 hours, and transaction log backups every 5 minutes.
​

This ensures a recovery point objective (RPO) of no greater than 5 minutes for all database operations. All data that is backed up is stored with best practice security approaches including least-privilege access control and data-at-rest encryption for the backup location.
​

What type of redundancies are in place to support availability and Business Continuity?
​
Beacon is based on a high-availability Kubernetes and Docker orchestrated environment leveraging on-demand processing. This provides orchestrated service uptime, scaling, failure recovery, deployment orchestration, and load balancing. This is done in a multi-region redundant environment, as well as leveraging multi-cloud storage for backups to support fast recovery in the event of a large-scale outage.​
​

Does Beacon log and retain logs for all critical events?
​
Beacon logs are collected and retained as part of the Security Information and Event Management (SIEM) solution. This supports log access and retention, periodic log review schedules, and issue or incident escalation procedures (as necessary) for the Beacon platform. This process also outlines the appropriate steps for the security team to take action on important alerts. Audit logs must be kept for the minimum period of two (2) years, or a minimum of six (6) months if no specific requirements exist.
​

Does Beacon utilize a central monitoring and alerting solution?
​
Beacon has established key metrics for availability, functionality, and operational health. Enterprise-class monitoring and alerting software provides real-time alerting for significant events. This supports situational awareness and observability of the environment providing a mechanism for escalation of severe incidents requiring intervention. For more information, visit the Trust Center resource on Technical and Physical Controls.
​

Does Beacon perform regular vulnerability scans? What is Beacon's patching cadence?
​
Beacon has an established Vulnerability Management policy. It defines a vulnerability classification system, response time objectives for each class of vulnerability, and the periodicity for vulnerability assessments (continuous). Environment patching is performed at least monthly. Critical patches may require more immediate action. For more information on Beacon’s Vulnerability Management policy, visit the resource Threat Identification and Analysis in the Trust Center
​

Is Beacon subject to regular penetration testing?
​
Beacon undergoes external, third-party penetration testing annually in accordance with SOC 2 best practices. This test covers web-application and system infrastructure. This is designed to assist in improving the system security posture and managing the risk of vulnerabilities within the system. For more information on Beacon’s penetration testing visit the resource Threat Identification and Analysis in the Trust Center.
​

Does Beacon employ physical security for its hosting facility? How is Beacon securing hosted equipment? Is there geographically separated redundant environments to support higher availability?
​
The Beacon environment is hosted in the Microsoft Azure environment. The Azure team manages physical and environmental security of hardware supporting the Beacon environment. Beacon leverages a multi-region solution that employs a geographically separated redundancy allowing for higher availability and regional separation to avoid significant disaster events (e.g., weather, earthquake) from crippling system operations. Azure’s compliance program is (at a minimum) reviewed annually (Azure Trust Center).
​

Does Beacon perform vendor security/risk assessments for all vendors in the supply chain?
​
Beacon performs annual (at a minimum) vendor security assessments for all vendors providing support (integrated solutions) for Beacon via vendor risk assessments including compliance documentation reviews (e.g., SOC 2 reports, ISO 27001 Certification). All vendors are tracked and are subject to regular review. For more information on Beacon’s vendor management program visit the resource Vendor and Supply Chain Management in the Trust Center.
​

What steps are being taken to build security into Beacon systems during the development process?
​
All Beacon software development follows a structured Software Development Lifecycle that controls system requirements, design and architecture processes, source management and versioning, automated deployment and testing, code security and composition analysis, and a multi-stage deployment model that separates development activities from production. The team regularly reviews industry standard code security guidelines (e.g., OWASP Top 10) to ensure best practices are followed for all application development. For more information on visit the resource Product Security in the Trust Center.

What type of security support is available for Beacon?

All Beacon support requests (including security support requests) should be submitted to the Beacon Support team inbox at [email protected]. This includes security requests (e.g., security questionnaires for risk assessments, compliance report requests) and notices of compromise (e.g., email address, bank account) that are necessary for ensuring the security of all interactions between Covered Entities and Beacon.