Security and Privacy

At Innovative Imaging Technologies (IIT), we understand that security and privacy are not merely concerns for our partners and clients, they are necessities. That’s why we’ve designed the Reacts collaboration platform to adhere to the strictest medical grade communications requirements, and we’re committed to continuously maintaining and upgrading our technologies and processes in step with evolving industry needs and innovations.

Culture and Processes

Professional remote collaboration systems, medical or otherwise, are based on certain underlying requirements such as accessibility and usability, interactivity, reliability, security, confidentiality, and traceability. Building on these basic tenets, our Information Security and Compliance team ensure that we follow best practices in everything we do, including:

  • Employment practices
  • Ongoing privacy and security training
  • Strict access control and storage guidelines
  • Regular external testing and compliance audits
  • Continuous monitoring and updating

Please note that a user’s data stored in his/her Reacts library or secure messaging is not accessible to IIT employees, and that IIT does not record any of the communications or video sessions.

Design and Technology

The Reacts platform was conceived under the guidance of clinicians and visionary leaders with the needs and constraints of both healthcare professionals and patients in mind. The platform architecture was then designed by a multidisciplinary team including networking and security compliance experts.

All access points to the Reacts APIs and services require secure connections using Transport Layer Security (TLS) and industry standard encryption methods. The platform’s audio/video communications utilize the DTLS-SRTP security context to encrypt and decrypt streams from end to end, while the database and backups are encrypted at rest using Transparent Data Encryption (TDE) with AES 256 block mode encryption. Reacts also implements measures to reduce data management risks on client-owned devices.

The Reacts platform’s infrastructure, virtual machines and other cloud resources are hosted in two separate Canadian Microsoft Azure regions, using the appropriate monitoring, redundancy and automatic disaster recovery mechanisms.


Compliance and Audit

IIT has implemented appropriate technical and organizational measures regarding its security and privacy practices, including certification of Reacts by the Quebec Ministry of Health and Social Services, and regular reviews of the industry’s best practices and PIPEDA, HIPAA, GDPR and PHIPA privacy laws. Reacts’ development process includes regular penetration testing and compliance assessments by independent and specialized third parties.

As per the compliance of Innovative Imaging Technologies (IIT) with several laws related to the security and the protection of personal information, IIT is mainly considered as a Processor, a Business Associate and/or a Service Provider regarding the processing of the personal information arising from the use of the Reacts platform. Thus, IIT cannot carry out the processing of the personal information other than in compliance with the applicable laws and/or as defined in a written agreement with the relevant controller, covered entity or custodian of the personal information, as the case may be.

In the light of the above, IIT makes its security and privacy decisions considering industry best practices and several data protection laws, such as PIPEDA, HIPAA, GDPR and PHIPA. IIT is subject to each of these laws in the context they apply and must comply with them. Consequently, IIT has implemented appropriate technical and organizational measures to protect personal information, including sensitive personal information such as personal health information, as required by the data protection laws mentioned previously.

Among other safeguards implemented by IIT, here are some of the technical and organizational measures:

  • Reacts has obtained the certification from the Quebec Ministry of Health and Social Services;
  • IIT has policies and procedures regarding its methodologies relating to security and privacy. For instance, IIT has a policy regarding its system and information access control. These policies and procedures are subject to continuous review as required and at least once a year;
  • IIT ensures that it has effective measures in place to limit the collection, access, use and disclosure of confidential and personal information as well as to ensure that the information resulting from the use of Reacts are encrypted in transit and at rest;
  • IIT ensures that the information remains in Canada in terms of storage and backups;
  • IIT ensures that it has agreements in place with its third parties, which may include having a Business Associate Agreement (BAA) or a Data Protection Agreement (DPA) when necessary. IIT will only select third party after having assessed its security and privacy measures;
  • IIT ensures that all of its employees receive training in security and privacy, including monthly awareness activities on that mater. Training is mandatory upon hiring, annually, when necessary for a particular position and as needed (e.g. HIPAA and GDPR);
  • IIT has implemented an incident and breach management process;
  • Users can access their personal information directly through their Reacts Account as well as to modify such information if inaccurate or incomplete;
  • The Reacts development process includes regular penetration and compliance tests performed by independent and specialized third parties regarding security, availability, processing integrity and protection of personal data. To this end, these assessments are often inspired by industry best standards or data protection law (for instance, the GDPR or the ISO/IEC 27001 standard).