This Security Statement applies to the products, services, websites and apps offered by Next Level Center Management Solutions (the “services”).
Next Level values the trust that you place in us by letting us act as custodians of the data you collect and store in order to serve your missional clients and donors. We take very seriously our responsibility to protect and secure that private information.
Next Level’s information systems and technical infrastructure are hosted within world- class data centers which maintain state-of-the-art physical security and meet a broad set of international and other compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2. Physical security controls at these data centers include 24x7 monitoring, cameras, visitor logs, entry limitations, and all that you would expect at a high-security data processing facility.
Access to Next Level’s technology resources is only permitted through secure connectivity (e.g., VPN, SSH) and requires multi-factor authentication. Our production password policy requires complexity, expiration, and lockout and disallows reuse. Next Level grants access on a need-to-know basis, reviews permissions quarterly, and revokes access immediately after employee termination.
Next Level maintains and regularly reviews and updates its information security policies, at least on an annual basis. Employees must acknowledge policies on an annual basis and undergo additional training pertaining to job function. Training is designed to adhere to all specifications and regulations applicable to Next Level.
Next Level conducts background screening at the time of hire (to the extent permitted by applicable laws). In addition, Next Level communicates its information security policies to all personnel (who must acknowledge this), and failure to adhere to these policies may subject an employee to discipline, up to and including termination.
Next Level encrypts all data at rest in our data centers using AES 256 based encryption. Additionally, Next Level encrypts all data in motion using (i) RSA with 2048-bit key length-based certificates generated via a public Certificate Authority, for
communications with entities outside Next Level’s data centers, and (ii) RSA 256 certificates generated via Internal Certificate Authority, for all the data within the data center.
Our development team employs secure coding techniques. Developers are formally trained in secure web application development practices upon hire and annually.
Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.
Next Level maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. Only company-issued devices are permitted to access corporate and production networks.
Next Level does not sell, share, or otherwise disclose the private personal information of your clients or donors unless required by an applicable law. Neither Next Level nor its parent organization will contact your donors or clients at any time for any purpose, without your express, written consent. All statistics and data analysis stemming from your client and donor data will first be de-identified for the protection and privacy of your clients, donors, and organization.
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Next Level learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
Business Continuity Management
Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity. Next Level employs a backup strategy to ensure minimum downtime and data loss. The Business Continuity Plan (BCP) is tested and updated on a regular basis to ensure its effectiveness in the event of a disaster.
Keeping your data secure also requires that you maintain the security of your account by using sufficiently complex passwords and storing them safely. You should also ensure that you have sufficient security on your own systems.
Logging and Monitoring
Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized Next Level personnel, when appropriate. Logs are preserved in accordance with regulatory requirements. We will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their accounts.
While all life-affirming pregnancy help service providers who agree to the Commitment of Care and Competence are committed to protecting the confidential information of the individuals they serve, HIPAA does not apply to the overwhelming majority of life- affirming pregnancy help service providers. Nevertheless, some centers elect to voluntarily comply with certain aspects of HIPAA, using HIPAA as a guide in supporting their policies and procedures regarding confidentiality. Therefore, Next Level Center Management Solution was designed with HIPAA in mind and has the tools to support a center seeking to voluntarily comply, in whole or in part, with HIPAA.
There is currently no certification program approved by the US Department of Health and Human Services (HHS) through which a cloud service provider such as Next Level could demonstrate compliance with HIPAA and the HITECH Act.