Questionnaires SpeechLive – Speech Processing Solutions GmbH

it is possible to enable MFA in SpeechLive for Admin and Workflow users. Users need to enter an additional verification code before they can log in to their SpeechLive account. The code is sent to the same email address the user is logging in with and is only valid for a limited time.

Is a user account locked or deactivated in case of multiple incorrect logins? And how can this then be unlocked again?

After first 10 tries, lockout period is one minute long. The next 10 lockout periods are slightly longer and increase in duration after every 10 lockout periods. Lockout periods can last up to five hours. Entering the same password repeatedly doesn't count as multiple unsuccessful logins.

Does the mobile or desktop app maintain any data beyond a simple cache?

Are there any system requirements we need to consider on Windows 10 workstations? What about on iOS or Android devices?

Supported Operating systems:
Windows 11
Windows 10
macOS

Supported Browsers:
Google Chrome (latest version)

Mobile:

SpeechLive app is supported on the two most recent versions of iOS and Android

Desktop app:

The SpeechLive Desktop app is supported on Windows 10 (64-bit).

Virtual environments
Virtual environments are supported via Philips Device Connector

Will the system require a connection to the Internet

Yes

Provide a list of any open ports being used

443

I see that data is backed up for 30 days; should we assume that on day 31, data is purged irrevocably? Is the expectation that users have copied the transcription into its final document outside of your service by then (fulfilling compliance requirements to maintain HIPAA-covered data for 7 years post-generation)?

You can define when Archived dictations will be purged from the archive. You can set the purge interval from 1 to 365 days (default are 30 days).

Is it possible to force-delete a transcription job before the 30-day time limit? Example: the transcription completes and data is moved to its final document within the GHR file server. Can the user force-delete the transcription to ensure that data is no longer on the Internet (despite security controls)?

Yes

Does SpeechLive support the integration of Single-Sign-On ?

Yes, SpeechLive supports SSO.

If not, is it on your roadmap to move to a challenge-response system with a rotating code instead of an email notification? Ideally, we’d like to use the MS Authenticator app to enroll.

We have this Customer Request in the backlog, but it is not part of the actual roadmap.

Should we decide to cancel our service contract with you, how would you securely erase our data and transfer existing data back to us?

Customer can export their Dictations at any time.

Do you provide customers with separate environments for production and test processes?

No, we don't provide test environment for customers.

Describe the authentication methods supported by the client side application (basic auth, certificate, PIN, One time password, etc.) and any requirements or policies related to them (password complexity, expiration, etc.)

SpeechLive requires password authentication, the password requirements are: Minimum of 8 characters with at least 1 uppercase, 1 lowercase, and 1 digit .
For the mobile app there is an additional security layer. Every time you access the app you need to authenticate yourself (e.g. via fingerprint or passcode, depending on the configuration of your device).

Is it possible to limit access to the service based on IP address (meaning: GHR staff could only access it from the primary office or after establishing a VPN connection to the office when working remotely)?

List of URLs to whitelist in order to use SpeechLive - Philips SpeechLive

More information regarding SpeechLive solution are found on the online help:

SpeechLive help

Access Control

Is your infrastructure protected by physical security perimeters (fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols)

Key Card Access
CCTV

What level of access do your employees have to our client data at any given time?

Role Base Access Control.

Perimeter Network

Do you have an Intrusion Detection/Prevention System in place ?

We don't have an IPS or IDS, but we have a classic firewall in place.

Data protection

Where is our data stored?Is our data kept strictly in Canada or is it replicated to other Countries?

Yes.

If yes, which Countries?

Netherlands and Ireland.

Will the solution be configured to store, process or transmit Patient Health Information or Personally Identifiable Information?

What data integrity controls are in place to protect data from being tampered with?

Checksum hashing

Governance

What industry certifications do you have?
As an Organisation, SPS is ISO9001 and ISO14001 certified.

More information about the certifications hold by our service providers can be found on the link below:

Data security and privacy - Philips SpeechLive

Datensicherheit-und-datenschutz - Philips SpeechLive

Sécurité-et-confidentialité-des-données/ Philips SpeechLive

Is the information security policy and all subordinate policies and standards reviewed and approved annually?

Yes, Constantly reviewed and updated by our product creation team throughout the year.

Has the information security policy and all subordinate policies been approved by senior management?

Yes.

All security protocols and policies are aligned with our management team. All decisions are made to not only meet relevant local security laws but in some cases exceed them.

Is the information security policy and all subordinate policies and standards appropriately communicated to and available to relevant employees and external parties?

Yes.

All security policies are available via a combination of our website, our security document and/or our technical regional managers and partners who can provide direct responses to specific questions.

Is formal responsibility for information security assigned to an individual or a team within the organisation?

Yes.

Our relevant product managers are responsible for managing the security protocols in place with our products and services. They have a team of people who assist them in achieving the desired outcomes.

Is there an audit trail for those who access our data?

Yes

Are there any internal procedures in which our data would be accessed without our knowledge?

Is there a formal policy and procedure for granting, modifying and revoking access to your systems?

Yes , MAC process in place via customer support, it is managed by our service provider (ITIL Based process).

Do you provide live help desk support?

SPS Partner/Reseller

What response times do you guarantee?

Within regular business hours – 24 hrs.

Is remote access required for support?

In some cases it is required.

Asset Management

Are our data segregated from other customers?

Yes, segregated

Are dedicated storages used on Azure for every SL accounts ?

Yes, every SL Account has his own storage container (for the dictation data) within our shared solution. Data is stored encrypted at rest in the dedicated region.

Compliance

Is there a Security Incident Management plan in place that includes the procedures, root cause analysis and communications?

Yes, we have an Incident Management plan.

In the event of a security incident impacting or exposing the customer's data or systems, is the SPS aware of its obligations?

Yes, In the event of a security incident or breach, SPS will notify the customer within 24 hours.

Have you encountered a security breach?

No.

Has your solution undergone Secure Code review?

Yes

Was this performed internally of did an external company perform the review?

Internally

Does Microsoft notify its enterprise customers when law enforcement or another governmental entity requests their data?

Yes. Microsoft gives prior notice to its enterprise customers of any third-party requests for their data, except where prohibited by law. We also provide our enterprise customers with notice upon expiration of a valid and applicable nondisclosure order. Except in the most limited circumstances, we believe governments can obtain information directly from our enterprise customers without jeopardizing investigations or risking harm to individuals, just as they did before the customer moved to the cloud. For the same reason, we believe that our enterprise customers can, except in the most exceptional circumstances, be notified about government requests for their data.

law-enforcement-requests-report

Are you compliant with the requirements of the DPA?

Yes. here is the link for the DPA agreement

Data_Processing_Agreement_SL_Customer.pdf

Maintenance

What is the timeframe for applying critical patches?

30 Days

What are the hours of service?

SpeechLive is 24hrs

When and how long was your last sustained cloud wide outage?

Check the Status page

Speech Processing Solutions - Status Page.

Do you have a single monitoring and alerting platform?

Yes

Do you notify clients when you have service interruption?

Yes

If so how?

Speech Processing Solutions - Status Page.

What happens if/when your infrastructure goes down?

Speech Processing Solutions - Status Page

What is your uptime guarantee?

99% within supplier area of responsibility

How often do you update, or perform maintenance on your infrastructure?

Periodically.

Will that result in downtime for our business?

No.

Information Protection Processes and Procedures

How often do you perform backups?

Data Replication is Continuous to support high availability.

Customer can export their Dictations at any time.

Data Security

Do you have your own data center?

Where are they physically stored?

Microsoft Azure Cloud Services.

Where is the data center located?

Canada

Australia

Do you outsource to a big cloud provider such as AWS?

Microsoft Azure Cloud Services.

Will our data sitting on your servers be fully encrypted (data at rest and data in transit)?

Yes

What encryption protocol in use for data at rest?

AES-256

What encryption protocol in use for data in transit?

TLS 1.2

What do you do if data breaches happens?

Follow our Data security Policies.

Is a multi-level firewall concept implemented that logically separates web, application and database servers from each other and limits the connections between them to a minimum?

Logical separation of web server, application server and database server is implemented with DMZ and subnet structure.

Vulnerability Management

Do you undergo any third-party audits on your system security?

Yes, we perform external penetrations tests on a yearly basis.

The test is performed as a black box test.

Do you perform an external Vulnerability Scan ?

We continually perform external Vulnerability Scanner of the websites with the external tool intruder.io

Describe in detail the process for identifying vulnerabilities on the application.

SpeechLive Application testing goes through a thorough series of evaluation for existing and potential threats to help identify, evaluating, treat, and report on security vulnerabilities in the software.

Automatic source code analysis with Gihub Dependabot

HR

Are police and employment history reference checks performed prior to allowing employees or external parties access to either your or customer's physical locations, systems and data?

No, not required

Have you ever had any incidents or received any reports of child labour, forced or bonded labour, physical abuse or discipline, threats of abuse, verbal abuse, harassment, other forms of intimidation, discrimination, violation of employment standards, or similar issues within your own organisation or your broader supply chain (including your overseas operations and overseas suppliers)? If yes, please provide details of the incidents or reports and your organisation’s response to the incidents or reports.

Do you have any systems, policies and procedures to detect, monitor and address modern slavery risks in your operations and supply chains (including your overseas operations and overseas suppliers)? If yes, please provide details.

No, not required.

Training & Awareness

Do you document employee acknowledgment of training they have completed?

Yes

Are employees made aware of what action might be taken in the event of a violation and stated as such in the policies and procedures?

Yes

Do you provide or make available a formal security awareness training program for all persons with access to customer data?

No, We provide awareness information to all employees

Do all staff undertake mandatory Data Protection awareness training at induction and on an annual basis that includes an assessment to determine the level of understanding?

We have no scheduled awareness trainings, but we send out regular information to all employees.

Data Processing Agreement_SL_Customer_.pdf
200 KB Download

Solution and application

Access Control

Perimeter Network

Data protection

Governance

Asset Management

Compliance

Maintenance

Information Protection Processes and Procedures

Data Security

Vulnerability Management

HR

Training & Awareness

Related articles