Security & Trust

Uber-secure by design. Seriously.

Hardened military-grade security and easy compliance for HIPAA, GDPR, CCPA, your IRB, and every other need.

Every Storyline account is designed to prevent you from discovering how safe it is.

We’re deliberate about what data we access and how we use that data in our work. Our teams are responsible for protecting the confidentiality, integrity, and availability of all data, client information, and intellectual property that’s entrusted to us.

Communication Protocols

All communication with Storyline goes through HTTPS. In fact, our API is only available on port 443 via HTTPS and our public websites force HTTPS with HSTS.

Tokenize personal data with our flexible JSON and BLOB data stores. Tokenization protects personal data and helps your research comply with data protection laws such as HIPAA, GDPR, CCPA, and your IRB.

Encryption / Decription

All records are encrypted with 256-bit AES encryption keys as soon as they enter Storyline’s infrastructure. Every record is encrypted with a unique initialization vector by a unique encryption key for semantic security. Storyline regularly verifies each record’s integrity and on each record request using a hash-based authentication code (HMAC) calculated using its own unique 256-bit HMAC key. Encryption keys, initialization vectors and HMAC keys are re-keyed and each record re-encrypted regularly.

Network. Security.

Each Storyline subsystem is totally and completely segmented from one another by software and network security rules to maximize data protection. Storyline does not store encrypted records and their encryption keys in the same server cluster and each subsystem can only be accessed by another subsystem via specific network routes and specific inbound and outbound port rules.

The API Subsystem — This subsystem handles all incoming HTTPS API requests. As soon as a request comes in, the incoming record is transmitted to the Encryption Subsystem without the record ever leaving the secure memory space. Records are never persisted to disk at any time.

The Encryption Subsystem — This subsystem handles all record encryption and decryption. This cluster of servers requests keys from the Key Management Subsystem and encrypts each record with a unique Initialization Vector, calculates the record’s HMAC, then sends the encrypted binary to the Encrypted File Storage Subsystem. It is critical to note the encryption and decryption keys are never stored in this subsystem and are immediately released from memory as soon as possible. Additionally, this subsystem receives the record without any knowledge of its context, account, or meta data.

The Key Management Subsystem — This subsystem stores the encryption keys, initialization vectors, and HMAC keys for all records in Storyline. This cluster of servers has no knowledge of how the keys are used. No identifiable information of the records will enter this system.

The Encrypted File Storage Subsystem — This subsystem is used to store encrypted BLOBs. This cluster also has no knowledge of what is being stored. All BLOBs are distributed to at least 3 nodes to ensure high availability.

Hardened Data Storage

Establishing and maintaining HIPAA compliance for human research can be a time consuming and frustrating ordeal. The process can add months to your timeline and requires ongoing attention and effort.

Storyline has provides a secure research solution out of the box.

Our battle-tested safeguards allow you to meet HIPPA physical and technical safeguards and GDPR data minimization requirements while keeping your data safe—without the hassles of trying to manage it all yourself.

We believe everyone should own their own data.

We understand that we’re trusted with sensitive information. That’s why we build data security and privacy controls into everything we make, right from the start. But our data-ownership also permits the removal of data at every level—from an individual participant to an entire study.

All Storyline team members and contractors undergo rigorous security and compliance training administered by a third party. Additionally, we undergo a comprehensive risk analysis making us HIPAA and HITECH compliant (following the Privacy Rule, Security Rule, and Breach Notification Rule)

encryption ai security
network security A.I.
Hardened data storage A.I.
A.I. behavioral data ownership

TRUSTED SECURITY

Every row of data is a life.

Data tells a story about people. That’s why privacy, security, and ownership underlie Storyline’s culture, solutions, and operations.

Security requirements for HIPPA, HITECH, GDPR, and CCPA can take months to design and implement.

That’s why we built Storyline with the most advanced security technologies and privacy controls built-in.

storyline’s security is always the most current version and is automatically updated without the need to download or install anything, letting you focus on your work without spending time on basic problems that everyone working in healthcare needs.

The result; a comprehensive security, control, and data ownership solution that works right out of the box.

Storyline’s core is built on the same infrastructure that handles billions of critical legal, financial, and healthcare interactions every day.

Are you spending a lot of time on security only to find that you’re spending a lot of time on security?

Generously supported by