Uber-secure by design. Seriously.

Communication Protocols

All communication with Storyline goes through HTTPS. In fact, our API is only available on port 443 via HTTPS and our public websites force HTTPS with HSTS.

Tokenize personal data with our flexible JSON and BLOB data stores. Tokenization protects personal data and helps your research comply with data protection laws such as HIPAA, GDPR, CCPA, and your IRB.

Encryption / Decription

All records are encrypted with 256-bit AES encryption keys as soon as they enter Storyline’s infrastructure. Every record is encrypted with a unique initialization vector by a unique encryption key for semantic security. Storyline regularly verifies each record’s integrity and on each record request using a hash-based authentication code (HMAC) calculated using its own unique 256-bit HMAC key. Encryption keys, initialization vectors and HMAC keys are re-keyed and each record re-encrypted regularly.

Network. Security.

Each Storyline subsystem is totally and completely segmented from one another by software and network security rules to maximize data protection. Storyline does not store encrypted records and their encryption keys in the same server cluster and each subsystem can only be accessed by another subsystem via specific network routes and specific inbound and outbound port rules.

The API Subsystem — This subsystem handles all incoming HTTPS API requests. As soon as a request comes in, the incoming record is transmitted to the Encryption Subsystem without the record ever leaving the secure memory space. Records are never persisted to disk at any time.

The Encryption Subsystem — This subsystem handles all record encryption and decryption. This cluster of servers requests keys from the Key Management Subsystem and encrypts each record with a unique Initialization Vector, calculates the record’s HMAC, then sends the encrypted binary to the Encrypted File Storage Subsystem. It is critical to note the encryption and decryption keys are never stored in this subsystem and are immediately released from memory as soon as possible. Additionally, this subsystem receives the record without any knowledge of its context, account, or meta data.

The Key Management Subsystem — This subsystem stores the encryption keys, initialization vectors, and HMAC keys for all records in Storyline. This cluster of servers has no knowledge of how the keys are used. No identifiable information of the records will enter this system.

The Encrypted File Storage Subsystem — This subsystem is used to store encrypted BLOBs. This cluster also has no knowledge of what is being stored. All BLOBs are distributed to at least 3 nodes to ensure high availability.

Hardened Data Storage

Establishing and maintaining HIPAA compliance for human research can be a time consuming and frustrating ordeal. The process can add months to your timeline and requires ongoing attention and effort.

Storyline has provides a secure research solution out of the box.

Our battle-tested safeguards allow you to meet HIPPA physical and technical safeguards and GDPR data minimization requirements while keeping your data safe—without the hassles of trying to manage it all yourself.

We believe everyone should own their own data.

We understand that we’re trusted with sensitive information. That’s why we build data security and privacy controls into everything we make, right from the start. But our data-ownership also permits the removal of data at every level—from an individual participant to an entire study.

All Storyline team members and contractors undergo rigorous security and compliance training administered by a third party. Additionally, we undergo a comprehensive risk analysis making us HIPAA and HITECH compliant (following the Privacy Rule, Security Rule, and Breach Notification Rule)