The most common questions, we get about how we handle personal data and patient information can be found below:
We only need a unique ID per patient. You choose the type of ID to use.
As an example: First and last name is preferred, but not needed. Email is also preferred if you want to give the patient the exercise programme as an App.
All data is replicated on multiple servers real-time, and Backups are stored on Microsoft Azure Servers located in Dublin, Ireland. ExorLive process and store data in accordance with current EU directives. The servers are administered by limited number of authorized technical personnel at ExorLive Headquarter in Oslo, Norway. Degree of anonymization can be chosen by the organisation. ExorLive encrypt data traffic through HTTPS.
Security in ExorLive is enforced by a strict security policy, and does not permit entities to be accessed or manipulated across organisations. Within the organisation, security is role based and users can be given administrative roles on a unit/department level.
The application is always accessed over SSL, safeguarding the information being exchanged between the client and the server from eavesdropping. ExorLive store only a hash of the user’s password, and when authenticating through ExorLive’s regular interface, salt, hashing, and a short lived challenge is used to ensure that message replay cannot be used to wrongfully gain access.
External services are required to use the SSL enabled endpoints to ensure transport security. The system provides integrity by ensuring that users are not able to insert or edit entities, they are not authorized for. Actions are logged.
Safety measures and procedures against external attacks: We are partners with Microsoft and keep our technical staff updated on the current system and security solutions; Through Azure, we ensure with Microsoft that
- Our services are always up to date on security and latest security patches
- Always running the latest version of important software
- Logging of all attempts at login
- Performance of manual vulnerability tests
ExorLive satisfies the requirement for built-in privacy. ExorLive is classified as a software in risk Class 1. This is the lowest risk class. We use single authentication for login unless otherwise is agreed upon.
Patient data can be stored on a dedicated server. It can also be stored in your country/organisation on your dedicated server. This is a paid service in addition to the standard license fee.
Yes. This is a paid service in addition to the standard license fee.
Whoever makes use of a cloud service for processing of personal data is the controller of personal data, even if the processing is carried out by a cloud service provider or its sub-contractors. The provider of the cloud service, and all of its sub-contractors hired for the processing, is the controller’s data processors.
The controller of personal data must, as a rule, ensure that there is a personal data processor agreement that meets the requirements of the Personal Data Act.
We usually sign the Personal Data Processor Agreement that the Organisation uses throughout the organisation.
No, we do not use identifiable information for any other purpose than the intended purpose.
Backup is taken every night. Backup is stored for 1 year unless otherwise is agreed upon.
The processing of personal data of a child shall be lawful, where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
We recommend that the parent receives the link to the exercise programmes for the child, or that the physiotherapist makes a note in the journal that the child can get direct access to the exercise programme, especially when this is given out as an app and not a print.
You can read more about this here: http://developer.exorlive.com/api/
A personal data breach is reported to the supervisory authority within 72 hours. It is also reported to the person, if such a breach is likely to result in a high risk to the rights and freedoms of natural persons.
As an administrator, you are able to access several settings in the ExorLive administration panel, thus enabling you to adjust ExorLive to fit your organisation the best possible way. You can create departments in the desired number of levels and manage roles and rights. You can also upload different logos to each department within the same Organization.
Patient programmes can be locked/signed, i.e. only the creator and admin can access it. This is visible as an entry in ExorLive equivalent to the entry in a patient journal. You can also block departments for personal exercise programmes, per patient request, making the availability of the programmes limited. Share level options are also available.
All current actions are logged in the system and can be extracted as reports. For example, an activity log for a specified patient and an access log for a specified user (Instructor). You can read more about what you can do as an administrator to limit data HERE.
In ExorLive, the privacy is preserved as the default setting. In practice, this means that ExorLive's cookies are designed and developed with privacy as the default setting. Thus, the user is always informed of what information is processed, the purpose and who treats the information, as well as consent to this. Ref. Electronic Communications Act §2-7b
ExorLive is classified as a medical software in risk class 1, according to Medical Device Regulation, ISO 13485 and EU Directive 93/42/EEC. ExorLive is listed in The Norwegian Medicine's agency with number NO985542597/0886-54712. Personal data is stored on Microsoft Azure's servers in Ireland. Lagring av persondata skjer på Microsoft Azure server i Irland, which is in compliance with ISO 27001.
Our Support has the overall responsibility of all support cases, and evaluation of corrective actions and preventive actions (CAPA). E-mail: firstname.lastname@example.org
Our Data Protection Officer has the overall responsibility for our safety procedures around personal data. E-mail: email@example.com