Minimum security standards for Users operating the Platform in compliance with HIPAA and GDPR
AITACS CRM implements server-side and application-level security measures to protect client data. However, compliance with HIPAA and GDPR is a shared responsibility. As a User (Data Controller / Covered Entity), you are responsible for the security of your own device, network, and work environment.
This document defines the minimum security measures you must follow when using the Platform. These requirements align with the HIPAA Security Rule (45 CFR §164.308–312) and GDPR Article 32 (security of processing).
Failure to comply with the mandatory requirements listed below releases the Provider from liability for any data breaches, unauthorized access, or data loss resulting from the User's non-compliance. See Terms of Service §7.4 and BAA §6.
Use a currently supported operating system with automatic security updates enabled: Windows 10 or later, macOS 12 (Monterey) or later, Ubuntu 22.04 LTS or later, ChromeOS, iOS 16+, or Android 13+.
HIPAA §164.308(a)(5)(ii)(B) — Protection from malicious software. Unsupported OS versions no longer receive security patches.
Install and maintain an active, up-to-date antivirus or endpoint detection and response (EDR) solution. Windows Defender (built-in) is acceptable. macOS users should ensure Gatekeeper and XProtect are enabled.
HIPAA §164.308(a)(5)(ii)(B) — Protection from malicious software.
Enable full-disk encryption on all devices used to access the Platform. Use BitLocker (Windows), FileVault (macOS), or LUKS (Linux). On mobile: iOS encryption is enabled by default with a passcode; on Android, enable device encryption in Settings.
HIPAA §164.312(a)(2)(iv) — Encryption and decryption. GDPR Art. 32(1)(a) — Encryption of personal data. Protects data if the device is lost or stolen.
Set a strong password or passcode on all devices used to access the Platform. Minimum 12 characters for computers, minimum 6-digit PIN or biometric authentication for mobile devices. Do not share your device password with anyone.
HIPAA §164.312(d) — Person or entity authentication.
Enable two-factor authentication for your AITACS CRM account. Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) or hardware key (YubiKey). SMS-based 2FA is acceptable but less secure.
HIPAA §164.312(d) — Person or entity authentication. Prevents unauthorized access even if your password is compromised.
Use a separate, dedicated browser profile for clinical work with the Platform. Do not mix clinical browsing with personal browsing, social media, or untrusted websites in the same browser profile. This isolates cookies, localStorage, and cached data.
HIPAA §164.312(a)(1) — Access control. Prevents cross-contamination of session data and reduces exposure to browser-based attacks.
Use exclusively pseudonyms (nicknames) when entering client information into any AI-enabled section of the application. The Platform displays clear guidance at every relevant input field. Never type a client's real name, phone number, email, or other identifying information into AI chat or AI analysis fields.
HIPAA Safe Harbor §164.514(b) — De-identification. This is the single most critical user-side compliance action. The Platform's de-identification filters are designed to work with pseudonymized input.
Do not leave your device unattended and unlocked while the Platform is open. Lock your screen when stepping away (Windows: Win+L, macOS: Ctrl+Cmd+Q). Do not allow unauthorized persons — including family members, colleagues not involved in the client's care, or office visitors — to view or access the Platform.
HIPAA §164.310(b) — Workstation use. §164.310(c) — Workstation security.
Keep your operating system, web browser, and all installed software up to date. Enable automatic updates where possible. Pay special attention to browser updates, as the Platform runs in the browser.
HIPAA §164.308(a)(5)(ii)(B) — Protection from malicious software. Unpatched software is the primary vector for data breaches.
Do not access the Platform over public Wi-Fi networks (cafes, airports, hotels, coworking spaces) without an active VPN connection. Public Wi-Fi is inherently insecure and susceptible to man-in-the-middle attacks. Use your mobile hotspot or a trusted VPN service.
HIPAA §164.312(e)(1) — Transmission security. GDPR Art. 32(1)(a) — Appropriate technical measures.
Use a dedicated password manager (1Password, Bitwarden, or Dashlane) to generate and store unique, strong passwords for every account. Never reuse passwords across services.
Eliminates the risk of credential stuffing attacks — the most common breach vector for cloud applications.
Configure your device to lock automatically after 5 minutes of inactivity or less. On mobile devices, set auto-lock to 1–2 minutes.
Prevents unauthorized access if you forget to manually lock your screen.
Periodically export your data from the Platform and store encrypted backups on an external drive or encrypted cloud storage. This protects against data loss due to account issues, server outages, or accidental deletion.
HIPAA §164.308(a)(7) — Contingency plan. Ensures data availability even in disaster scenarios.
Use a reputable VPN service (NordVPN, ExpressVPN, ProtonVPN, Mullvad) for all work sessions, not only on public Wi-Fi. This adds an encryption layer between your device and the internet.
Provides defense-in-depth for data in transit, especially valuable when working from home networks with IoT devices.
If possible, use a dedicated device for clinical work — separate from personal use. This eliminates the risk of personal browsing, downloads, or applications compromising the security of clinical data.
HIPAA §164.310(b) — Workstation use. The strongest physical access control for solo practitioners.
Enable 2FA on your email account (the one used for AITACS CRM login). Your email is the recovery mechanism for your account — if your email is compromised, your Platform account is at risk. Be vigilant about phishing emails.
Email compromise is the #1 vector for account takeover. Securing your email secures your entire digital identity.
Establish a consistent pseudonym system for your practice. Examples: use literary characters ("Hamlet", "Ophelia"), colors + numbers ("Blue-17", "Green-42"), or random codes. Keep a separate, encrypted mapping file (not in the Platform) linking pseudonyms to real identities, stored on your encrypted device only.
A consistent system prevents accidental use of real names and simplifies your workflow with the AI assistant.
Log out of the Platform when your work session is complete. Clear browser data periodically. Do not save your Platform password in the browser — use a password manager instead.
Minimizes the window of opportunity for unauthorized access through an open session.
Before entering any client's data into the Platform, obtain their signed informed consent using the template provided (Informed Consent Template). Store signed consent forms securely — either digitally (encrypted) or physically (locked cabinet).
HIPAA Authorization Rule. GDPR Art. 9(2)(a) — Explicit consent for special category data.
If you suspect any unauthorized access to your account, unusual activity, or if your device is lost or stolen — immediately change your password, revoke active sessions, and notify the Provider at aitacs@skillbuilder.club. Time is critical in breach containment.
HIPAA §164.308(a)(6) — Security incident procedures. See Incident Response Policy.
Print this checklist and keep it at your workstation. Verify compliance periodically.
If you have questions about these security requirements or need assistance with implementation:
Artem Chukov — Provider / Security Contact
Email: aitacs@skillbuilder.club
Web: skillbuilder.club
Terms of Service · Privacy Policy · Data Processing Agreement (DPA) · Business Associate Agreement (BAA) · Subprocessor List · Informed Consent Template · Incident Response Policy