As a SaaS-based product provider, Freshworks offers several products. There could be instances when customers may use some of our products to process electronic Personal Health Information (ePHI) in the normal course of their business operations. As per the Health Insurance Portability and Accountability Act (HIPAA) of 1996, should our customers get categorized as either Covered Entity or Business Associate, Freshworks may extend support to their compliance towards HIPAA by mutually executing a Business Associate Agreement (BAA).
The scope of BAA is limited to Freshdesk, Freshservice and Freshsales products that are offered by Freshworks. The processing of any ePHI in any of our other products is not recommended and will not be covered within the scope of our BAA. This document sets forth the Secured Operating Environment (SOE) that are Mandatory for Customers (either Covered Entity or Business Associate) to adhere to while using Freshsales to process ePHI. The validity of our BAA is subject to continued adherence by the Customers to the specifications that are mentioned in this document. Further, Freshworks is not liable for Customer's usage of their custom mailbox and/or any Apps (as defined in Customer's agreement with Freshworks). We encourage Customers to independently configure these for their continued compliance with HIPAA.
Secure Operating Environment
- IP Whitelisting: Whitelist specific IP addresses to enforce access to your support portal only from the sources that are authorized by you. Know more.
- Restricted access: Configure role-based access controls to ensure that access to your agents are limited based on their job responsibilities. Know more.
- Custom Mailbox: Configure your own custom mail server with Freshsales to get autonomous control on the incoming and outgoing emails. This functionality lets you make sure that all your email transactions are outside Freshsales, and will be completely managed at your end. Know more.
- SSL Certificate: Freshsales offers a default wildcard SSL for all users who have a support portal on a freshsales.io domain. This can be used as long as you continue to use the default Freshsales URL you signed up with (for example, yourcompany.freshsales.io). However, the default SSL does not work when you have pointed a custom domain name to your CRM portal (for example, crm.yourcompany.com).
In this case, you will have to configure a custom SSL certificate provided by Freshsales with your domain name. For this, you will need access to your domain control panel in order to add a DNS record to your custom domain. You can request for an SSL certificate from Freshsales without any additional charges. - Mandatory TLS for Emails: Ensure you enable TLS v1.2 mandatorily (not opportunistic) for all emails to and from your Freshsales.io portal.
- Identification and Authentication: a. Enable SAML SSO for users to access their support portal with your unified identification and authentication system and also to validate users logging into the portal using your script. SAML is a mechanism used for communicating identities between two web applications. It enables web-based Single-Sign-On and hence eliminates the need for maintaining various credentials for various applications and reduces identity theft. Know more.
or
b. Configure Advanced Password policy where you would be able to set password length, complexity, expiry, repetition. Additionally, enable Two-factor authentication if required.
- Data Sanitization: In addition, you could ask ePHI data in the patient conversations by integrating with third-party Data Masking app.
- End-Point Security: Ensure the end-point systems used by your agents are hardened and secured for protecting the health care data that they process. The systems shall be identified to specific agents, authenticated, configured to be automatically locked down in case of idleness, and secured from malware.
For information on the information security practices followed at Freshworks, please refer to https://www.freshworks.com/security/