Security, Privacy & Compliance

We Protect User & Institution Data at Every Step

Oasis is compliant with the highest security standers, ensuring your information is always secure.

HIPAA & FERPA Compliance

Oasis data is encrypted in a SOC 2 Certified Data center that specialized in HIPAA and FERPA compliance. We also implement several administrative, physical, and technical controls.

SOC 2 Type II

The Oasis Platform is SOC 2 Type II certified and compliant. This ensures your data is stored and processed in secure a manner.

Single Sign On

Oasis offers integrations for access management via SSO from Azure, Google, and Clever.

Our PHI Security Measures

Oasis is built using an ISO 27001-certified platform and is considered HIPAA and FERPA-compliant. Our security is made up of a complex array of physical, technological, and administrative controls and privacy policies. 

All 18 types of electronic Private Health Information (ePHI) are protected by several means including:

Physical Security

  • Data Center Entry: Dual-factor authentication In order to enter the data center, a person must have:
      1. Prior authorization from management
      2. Be on the approval list
      3. Have the approved access code
      4. Two forms of personal identification; and
      5. Their identity confirmed using the biometric fingerprint scanner.
  • Visitor logging and auditing – The entries in the logbook must directly match the video surveillance tapes. An independent audit confirms the match of visitor logs with the video archives.
  • Video surveillance – Video logs kept for 90 days.
  • Procedure Documentation – Documentation for the procedure to allow access by unannounced visit, phone call, or email.
  • Annually, the data center undergoes a HIPAA audit by a 3rd party entity. The data center has passed with a 100% compliance rating. Audits are performed using the OCR Audit Protocol.

Administrative Safeguards

  • Business Associate Agreement signed
  • Required annual HIPAA staff training, assessment, and regular staff security reminders
  • Annual Risk Assessment conducted
  • Audits are performed using the OCR Audit Protocol.
  • Annual data center HIPAA audit by a 3rd party (passed with a 100% compliance rating).
  • Disaster preparedness and disaster response plans, contingency data access plans
  • Privacy Officer assigned security responsibilities
  • Policies and procedures for information access controls (minimal use policy)
  • Security Incident Procedures and Breach Notification Plan
  • Regular risk evaluation, risk mitigation plans, and monitoring processes
  • Business Associate Agreement with contracted use

Data Security

  • Access Control – Unique user identification, emergency access procedure,
  • Automated log out after 10 minutes of inactivity and screen blanked after 5 minutes of inactivity
  • Centralized logging; OS change management and patch management
  • IPS/IDS Protection
  • 256-bit encryption in-transit and integrity controls
  • Data encryption at rest
  • Data encryption in transit
  • Password requirement: 8 digits, symbol, upper case, lower case, and number (can be increased)
  • Antivirus and anti-malware updated regularly
  • OS patch and change management
  • Dual factor VPN for root access
  • Daily offsite file-level backup with 14-day retention with the same type and security protections
  • Back up data: Encryption at-rest and 256-bit encryption in-transit to a backup sit

Frequently Asked Questions

Oasis collects only protected health information that is needed to provide high quality care and user experience. This includes:

  • Name
  • Email
  • Phone Number
  • City
  • IP Address
  • Device Identifiers
  • Web URL
  • Photographic image

Our servers are located in the United States in a SOC 2 Certified Data center that specializes in HIPAA compliance.

Our servers are continuously monitored 24-7-365 by human security specialists and have multiple firewalls configured for added security.

The servers are back-up daily to an offsite sister SOC2 certified data center. Data in all servers with PHI are encrypted in transit and at rest.

Both server locations have redundant internet, and redundant power (diesel power generators with 30 day fuel reserves).

Access to the physical servers requires several layers of security confirmation including, but not limited to biometric verification, fingerprint matching, and security codes.

Data is kept until the individual user’s account is deleted or the organization’s account is deleted.

Much of your activity as a user on Oasis is de-identified. Some activity will be connected to your account ID.

What your school cannot access

  • Your Support Counseling history & transcripts
  • Self-care articles you read
  • Self-care videos you watch 

What your school can access

  • Date of your first and last login
  • Course activity and completion
  • Mood log records
  • If you were handed off to a crisis resource through Oasis Support counseling

Oasis collects various data points related to usage to provide helpful analytics and insights.

  • Course Progress
  • Content Views
  • Mood Log Records
  • Support Counseling Transcript

No. Oasis has never had a security breach.

Have other questions?

Fill out the form and our team will get back to you! 

Scroll to Top