SOC2 compliant

Liability concerns with storing data remotely have created a demand for assurance of the security, confidentiality, and privacy of information processed by these systems. This is especially strong with the type of sensitive legal and medical data stored in MR9.

To meet that demand, OMTI undergoes annual audits by independent 3rd-party CPAs of our controls and procedures for handling our clients’ data including data managed in the cloud. Security is covered in the SOC 2 standard, and OMTI is SOC2 Type 2 compliant, which is the higher standard of compliance in which CPAs audit us over a several month period each year.

You can request a copy of our current SOC 2 compliance report by submitting this form.

Secure log-in

MR9 and MR Connect include several optional security enhancements for logging in, such as two-factor authentication (2FA). 2FA is a more secure way to confirm a user’s identity by adding a second factor to signing in with a user name and password, such as a code sent to their cell phone that they must enter into the log-in page.

You can also require that users have complex passwords, which are harder for hackers to break. And you can require that users have to periodically update their password. You determine the length of time before they must update their password and if they can keep using the same password.

All MetaRecords products include Captcha to prevent bots from making automatic Forgot Password requests — a type of brute-force attack which creates excessive traffic on the server and could slow down your system.

Automatic log-off

To be compliant with general security rules for business applications, automatic log-off is enforced in MR9 and MR Connect. The default is that you are automatically logged out after 20 minutes of inactivity, but you can change that to be as little as 5 minutes or as long as an hour.

Users receive alerts at the end of periods of inactivity to extend their time before being automatically logged off — just like on banking sites.

You must save your work before logging off. MR9 does not save your work for you before it logs you off.

Cloud technology & protocols

MR9 and MR Connect are housed in the cloud on Microsoft Azure Cloud Services, which in addition to a guaranteed 99.9% uptime, benefit from Microsoft’s dedicated resources and processes that guarantee the security and privacy of data on Azure, including various security certifications and following international standards for privacy controls in the cloud. These safeguards are beyond what a single records retrieval or process serving business could provide.

More secure

MR9 is more secure than an in-house system in other ways – such as open port security: When you’re trying to log into MR9 remotely without a secure connection, you do not need to keep the well-known default SQL port open — nor do you need to keep any custom ports open for MR9 Repository downloads. (And that’s one less thing you need IT to do.)

Your info remains confidential

You maintain control of your files. We do not host files on our own servers – your files reside on Microsoft Azure Cloud Services. Your client/order/record information remains confidential.

Better than backup

With your MR9 data and repository files on Microsoft’s Azure’s Cloud Services, you no longer need a back-up system. Data is mirrored between servers in different locations — so even if one server were to go down, another server would be accessed immediately with no interruption in service and no lost data. And because repository storage included, repository files are protected similarly — with duplicates stored in several locations.

Modernized security

Part of that is the enhanced security built into both MR9 and MR Connect is how the data and files you store in MR9 and MR Connect are safeguarded by methods chosen for their appropriateness and security standards.

Database security

• MR9 stores the password using secure hash algorithm SHA-512 so no one can decrypt the password.
• MR9 only allows access via TLS 1.2. Other security protocols — such as SSL and TLS 1.1/1.0 which are outdated and vulnerable — cannot access MR9.
• MR9 stores sensitive data — such as birthdays, SSN, and Tax ID — using AES 256-bit algorithm. The symmetric key is stored in SQL Server, and its password is managed by OMTI. This means if someone steals the data, they cannot decrypt the data even if they know the password.
• The SQL Server cannot be accessed from other locations. Only our web server can access it.

Application security

• MR Connect uses an SSL with 2048-bit signatures and 256-bit encryption.
• MR Connect only allows access via TLS 1.2. Other security protocols — such as SSL and TLS 1.1/1.0 which are outdated and vulnerable — cannot access MR Connect.
• Like MR9, MR Connect uses the Microsoft Azure platform. Azure is HIPAA, TRUSTe, PCI DSS, NERC CIP compliant. (Additional Azure security info )
• In MR9 and MR Connect optional two-factor authentication (2FA) sign-in sends a code to the user’s cell phone or email address for an extra layer of security when logging in.