Security in YouthCenter

YouthCenter’s robust security is at the center of everything we do
so you can be sure your data is always safe and protected.

COMPLIANCE

HIPAA

The Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data.

YouthCenter has received its HIPAA Seal of Compliance. This verification validates YouthCenter’s “good faith effort” to satisfy the HIPAA law and regulations and is a testament to our dedication to maintaining the highest standards of security and privacy.

If you need a signed BAA, please send a request to [email protected] and our BAA will be sent to you for signature.

To receive the Seal of Compliance Letter please send a request to [email protected].

PCI-DSS

Although YouthCenter’s services are out of scope for PCI-DSS because we do not process card data on behalf of our customers, we are PCI-DSS compliant based on out parent organization’s (BizStream) compliance.

Written Information Security Policy (WISP)

If you would like to receive a copy of YouthCenter’s latest WISP, please send a request to [email protected]. Since an NDA is required, please include your company’s full name, company address, and place of incorporation.

PRODUCT SECURITY

Audit Logs

Every change to all client forms/fields in the YouthCenter is added to the Client Audit Log. This log tracks who made the change, when it was changed, and exactly what data was before/after the change. This log can be filtered by date, object, user, etc.

Multi-factor authentication (MFA)

In Q1, 2025, YouthCenter will be utilizing Auth0 for authentication which will include the option for Multi-Factor Authentication.

Role-based access control (RBAC)

YouthCenter administrators can easily add and remove account users. YouthCenter is deployed with various defined user roles with respective permissions; however administrators may add and remove their own as their organization requires.

Secure Transmission and Sessions

Connection to a YouthCenter instance is via SSL/TLS cryptographic protocols, using global step-up certificates, ensuring that our users have a secure connection from their browsers to our service.

Individual user sessions are identified and re-verified with each transaction, using a unique token created at login.

Login IP Restrictions in YouthCenter

Access List IP Ranges limit unauthorized access by requiring users to log in to YouthCenter from designated IP addresses — typically your company network, designated customer networks or VPN. By using Login IP Ranges, admins can define a range of permitted IP addresses to control access to Atera. Those who try to log in to YouthCenter from outside the designated IP addresses will not be granted access.

DATA SECURITY

Data encrypted at-rest

Data is encrypted at-rest using AES-256.

Data encrypted in-transit

We encrypt data in transit using HTTPS/TLS. The TLS version supported is currently TLS 1.2 or newer.

Password encryption

Users’ account passwords are encrypted and hashed with a SHA 256 algorithm.

PRIVACY

Privacy Policy

The YouthCenter Privacy Policy describes how we collect, use, and handle personal information when you use our platform, website(s), app(s), data analytics software, and other services.

Visit our privacy policy here.

DATA PROTECTION OFFICER (DPO)

Our appointed Data Protection Officer is responsible for ensuring that all our data protection measures are up-to-date and all procedures are followed. The DPO works with experienced security professionals (CISO, CISM, CRISC, CISSP, CISA, CIPM, CEH, CIPPE, CDPSE).

Data Ownership

All data entered into YouthCenter is owned by the respective organization. YouthCenter retains no rights to the data.

Data Removal Requests

Administrators may delete juvenile data in a multi-step process. In the case where juvenile data may not be deleted in the multi-step process, administrators may reach out to [email protected] for assistance.

INCIDENT MANAGEMENT AND RESPONSE

Data Breach Notification

In the event of any actual or reasonably suspected information security breach or other incident affecting the security or integrity of your data, YouthCenter will adhere to the policies defined in the YouthCenter Information Security Incident Response Plan and will notify you in accordance with applicable law.

Incident Response Plan (IRP)

YouthCenter operates a formal security incident management process under a related policy and procedure. Escalation procedures exist to ensure the timely communication of any security incident through the management chain and to any affected customers without undue delay.

Availability and Reliability

YouthCenter uses the Microsoft Azure Government Cloud platform because it has been architected to be one of the most flexible, reliable, and secure cloud environments available today, allowing our customers to benefit from this data infrastructure.

Our infrastructure is divided into multiple, geographically dispersed facilities in data centers designed for maximum security and availability. All locations employ industry best-practices, including badge and biometric access entry systems, extra power sources, extra air conditioning units, and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside these data centers and all visits are logged.

We have designed our service  for high availability; no less than 99.75%.

Infrastructure Redundancy

YouthCenter services are deployed to benefit from the infrastructure superfluousness of the Microsoft Azure platform.

Quality Assurance Testing (QA)

YouthCenter follows a change management process for changes to the production environment. All code changes must undergo a peer code review and include automated unit, functional, and security testing. Testing is performed after deployments to validate application functionality. If validation fails, the application is rolled back to its previous version.

Service Monitoring

YouthCenter uses industry-standard systems to monitor its systems to detect service-related issues. The YouthCenter team is alerted 24/7 when the threshold criteria are exceeded.

YouthCenter Status Page

ORGANIZATIONAL SECURITY

Confidentiality Agreements

Our service agreements enable the confidential treatment of confidential customer information, including customer data. We require all our employees and contractors as well as vendors to sign confidentiality agreements to ensure the absolute protection of confidential information.

Employee Security Training

We train all new employees about their confidentiality, privacy, and information security obligations as part of their onboarding training. A compulsory annual security and privacy training ensures employees refresh their knowledge and understanding. Engineering teams receive further training related to their work duties and access.

Limited Employee Access (principle of least privilege)

YouthCenter follows the principle of “least privilege” in governing employee access to our systems. Access to our customers’ data is limited to legitimate business needs, including activities needed to support our customers’ use of our services.

We map network accounts directly to our employees using a unique identifier; generic administrative accounts are not used. We periodically review employee access to internal systems to ensure that employees’ access rights and patterns are in line with their current positions.

A formal employee termination notification process exists, which is initiated by our Human Resources (“HR”) department. Upon notice by HR, all physical and system accesses are promptly revoked.

Physical Access Control

YouthCenter has implemented appropriate controls to restrict physical access to its offices.

Our cloud service providers have implemented robust security measures to control physical access to the data processing facilities we use.

Secure Remote Network Access

YouthCenter’s employee workstations use Zero Trust controls to provide end-to-end network encryption, layered security, and identity access management with MFA in-order to provide a private, secure connection both to the internet and to Atera’s work-related network assets.

All remote connections are monitored regularly, and employees are alerted if they are disconnected from the network, or if any other security notifications are triggered.

Password Manager

YouthCenter understands the importance of managing user passwords and has implemented a secure password management system cross-company in order to protect and manage employee and the organization’s passwords.

BUSINESS CONTINUITY

Business Continuity Plan

YouthCenter has implemented an integrated Business Continuity and Disaster Recovery Policy and maintains related plans under the policy. Please see the text under ‘Disaster Recovery Plan’ for more information on this topic.

Disaster Recovery Plan

YouthCenter maintains essential disaster avoidance, readiness, and recovery planning capabilities through the use of multiple geographically dispersed data centers, our platform architecture, offsite data backup, and remote access capabilities. We also maintain a Business Continuity and Disaster Recovery Policy and related plans, and test them on a regular basis.

Data Backups

YouthCenter stores all customer data on Microsoft Azure Government Cloud storage systems, utilizing hot backups stored in secure Azure facilities offsite from production facilities. Access to backup media is highly restricted

Environmental Safeguards

YouthCenter hosts its data and application on Microsoft Azure Government Cloud, for its production infrastructure environment.

Azure utilizes the safeguards mentioned here which also includes:

Access Control and Physical Security

  • 24-hour manned security, including foot patrols and perimeter inspections
  • Biometric scanning for access
  • Dedicated concrete-walled Data Center rooms
  • Computing equipment in access-controlled steel cages
  • Video surveillance throughout facility and perimeter
  • Building engineered for local seismic, storm, and flood risks
  • Tracking of asset removal

Environmental Controls

  • Humidity and temperature control
  • Redundant (N+1) cooling system

Power

  • Underground utility power feed
  • Redundant (N+1) CPS/UPS systems
  • Redundant power distribution units (PDUs)
  • Redundant (N+1) diesel generators with on-site diesel fuel storage

Network

  • Concrete vaults for fiber entry
  • Redundant internal networks
  • Network neutral; connects to all major carriers and located near major Internet hubs
  • High bandwidth capacity

Fire Detection and Suppression

  • VESDA (very early smoke detection apparatus)
  • Dual-alarmed, dual-interlock, multi-zone, pre-action dry pipe water-based fire suppression

INFRASTRUCTURE

Atera is hosted on the gold-standard in Cloud Security: Microsoft Azure.
YouthCenter’s data centers are on on Microsoft Azure Government Cloud (US Based).

Azure data centers maintain robust physical security standards and are ISO 27001, ISO 27017, ISO 27018, ISO 27032, HIPAA, FedRAMP, SOC-1, and SOC-2 compliant.

Multi-Tenant Architecture

YouthCenter provides its service using a multi-tenant architecture with the data in each customer account logically separated from other accounts. The data is encrypted at rest using AES-256.

ISO 27001 – Data Center

Microsoft Azure data centers — certified as compliant with the following ISO standards: ISO 27001:2013, ISO 27017:2015, and ISO 27018:2019, ISO 27701:2020.

SOC 2 Type II — Data Center

Microsoft Azure data centers are certified with SOC 2 Type 2 Security, Confidentiality, Availability, and Privacy Trust Principles.

Physical Access Control – Data Center

For more information, please navigate to the following link that further describes Microsoft’s security around the Azure Infrastructure.

https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security

THREAT MANAGEMENT

Penetration Testing

YouthCenter has an independent, third-party security vendor who conducts penetration testing of our internal and external infrastructure and services on regular basis.