RightEye takes the security of our platform and data seriously. Our system architecture is built utilizing data encryption and 3rd party integration best practices built into the Vision System to secure Protected Health Information (PHI) and Personally Identifying Information (PII).
There are several terms used below to describe aspects of the RightEye Vision System:
- The RightEye Vision System consists of physical hardware and the eye-tracking application (or ‘app’).
- The RightEye Portal is the cloud-based interface for end-users to view reports and data.
- The RightEye API is used to securely access and display data on the RightEye Portal for authenticated end-users.
Listed below are the systematic precautions and tactical actions we have taken to help ensure the integrity of your RightEye system.
Data Storage
No PHI, PII, or eye-tracking data is stored on the RightEye Vision System.
RightEye stores raw eye-tracking and associated computed metrics in private Amazon S3 buckets. No individual or organizations outside of RightEye are ever given access to this data. An eye-tracking test subject’s information is stored in an Amazon RDS database to which access is restricted. Only RightEye engineering staff and applications have access to either the Amazon RDS or Amazon S3 data.
No eye-tracking or participant data exists outside of the production environment and it is a violation of RightEye policies to remove or copy data from this environment into another environment without first sanitizing it and removing any PHI and PII.
When logged into the online portal, a user’s session is expired after 30 minutes of inactivity.
Data Encryption & Authentication
All data, including PHI and PII, collected by the RightEye Vision System, are encrypted in flight when communicated between the RightEye application, Portal and the API. This same encryption standard applies for any web applications that are used for viewing assessment information or editing test subject’s data. The API and Portal applications require TLS 1.2 or higher when communicating with client.
Provider administrators must log into the RightEye application which will use the provided credentials to get an API token from the API. Each request to the API will present this token as a Bearer token which will be validated prior to executing the request. The Eye Tracker Application uses this authentication information to communicate with the API. The Eye Tracker application initiates all outbound requests on port 443 and requires no inbound network rules.
Data Sharing
The RightEye API follows the OAuth 2.0 standard for authentication and authorization.
RightEye classifies all PHI and PII for the purpose of making sure that all data is handled in the most appropriate manner in all circumstances. No personally identifying information is ever shared or viewed without consent of a Provider, Participant. From time to time, when the need arises, RightEye engineering staff will access production data for the purpose of diagnosing a system problem or changing the structure of data.
Research
RightEye reserves the right to create a clinical research environment where anonymized eye-tracking and test subject demographic data can be stored for the purpose of clinical research and training machine learning models. This will be done in strict accordance to HIPAA and any other applicable laws.