At our MSP we mostly have to deal with HIPAA, but there are similar laws that cover other sectors other than healthcare and take similar approaches. The financial sector in the US, for example, has SOX (Sarbanes-Oxley Act.) The point is that we expected that our customers would have a need for regulatory compliance when using our software because of the screenshots that may contain very sensitive information. We, therefore, set out to design a system that can address these regulatory hurdles in an all-encompassing way.
We reached out to a HIPAA (Health Insurance Portability and Accountability Act) compliance attorney before we ever showed this software to anyone because our own MSP manages mostly medical practices. We knew that we needed to have certain, very specific features to comply with the strictest data security laws.
To meet this requirement we are required to provide additional layers of protection. That was the birthplace of the Gatekeeper, per-user access restrictions with audit logging, and consent-based data transmission. A Customer Controlled Amazon S3 account is required and we are prepared to sign a BAA (as well as have Amazon sign one.)
If you are in the European Union or the United Kingdom, you may address privacy-related inquiries to our EU or UK representative pursuant to Article 27 GDPR:
EU: EU-REP.Global GmbH, Attn: Tier2Tech, Hopfenstr. 1d, 24114 Kiel, Germany
UK: DP Data Protection Services UK Ltd., Attn: Tier2Tech, 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom