PainChek is committed to upholding industry standards of security, data protection, and risk management practices in accordance with relevant privacy legislation, including Australia’s APPs, the European Union’s GDPR, the UK’s GDPR, and ISO/IEC 27001:2022, the international standard for information security management systems.
Maintaining and consistently enhancing best-practice security protocols
Our commitment to data privacy and security is embedded in every part of our business. Our clients and partners can trust that their data is handled and processed in line with industry standards.
Data security and
privacy
Robust controls to secure client data, implemented at both the organisation and application level
Backups enabled
Encryption at rest and encryption-in-transit
Independent third-party data protection oversight
Adherence to relevant privacy legislation, including Australia’s APPs, the European Union’s GDPR, and the UK’s GDPR
PainChek UK Ltd is Cyber Essentials certified and has completed the NHS Data Security and Protection Toolkit self-assessment to demonstrate it is practising good data security and that personal information is handled safely
Infrastructure, endpoint & network security
Ongoing status monitoring
AWS CloudFront and WAF functionality to help prevent DDoS attacks
Defence-in-depth approach to security, aligning to ISO/IEC 27001:2022
Disk encryption enabled
DNS filtering enabled
Endpoint & threat protection enabled
NetSkope Zero Trust traffic filtering and analysis tool on all employee laptops
Third-party security vendor performs penetration testing on the API, Portal and Mobile Apps
Corporate
security
Mandatory, comprehensive best-practice security training for all employees
Disaster recovery and business continuity plans in place
Active asset management programme in place
ProofPoint, the industry-leading email gateway, implemented to protect the PainChek email system
Implemented Data Loss Prevention (DLP)
In addition to the measures above, the PainChek information security team continuously monitors and implements new security controls to align with global best practices.
Visit the PainChek Trust Centre and Privacy Policy to learn more about our security posture and request access to our security documentation.
Trust, reliability, and support
At PainChek, we protect and secure the information of more than 1,900+ healthcare facilities and partners worldwide with full transparency and ongoing support.
- Strong data integrity measures
- Robust protection from data breaches
- Advanced user access controls
- Support with information security compliance
Compliance and certifications
We continuously monitor and are up to date on global, enterprise-grade certifications
FAQs
Yes, PainChek uses the following methods to encrypt client data:
Data at rest:
- RDS (PostgreSQL) – Encryption-at-rest using KMS Key
- EKS Secrets – Encryption-at-rest using KMS Key
- EKS Node Root Storage – None – PainChek EKS Nodes are ephemeral and frequently terminate. No PainChek data is stored on the nodes, nor in any form of persistent cache, or filesystem. Pod logs do not contain sensitive information. Audit logs that may contain sensitive information are recorded in the database only and are not outputted to the nodes logs
- S3 – Server-side encryption with Amazon S3 managed keys (SSE-S3)
Data in transit is managed on both sides of the AWS Security Shared Responsibility Model (SRM).
- AWS Encrypts all traffic at the physical layer between Availability Zones (AZs)
- In addition to the encryption provided by AWS under the SRM, PainChek has configured and implemented additional encryption layers for in-transit protection of information
PainChek’s data centres are located around the world to both provide optimal speeds to our global clients, and to ensure compliance with local data sovereignty requirements.
PainChek utilises Amazon Web Services S3 storage, leveraging high levels of physical security, redundancy, and reliability.
Does PainChek® save any photos or videos of the person being assessed?
No, the camera does not record images or video, and neither your data or face is stored or used to train PainChek®’s AI system.
PainChek® uses artificial intelligence to conduct an automated facial analysis using your device’s camera. This real-time analysis identifies the presence of micro-facial expressions associated with pain in only 3 seconds, making it both fast and consistent.
When you press the ‘Start Analysis’ button, the system conducts its analysis in real time, never saving or transmitting any photos or videos of the face being assessed. This means you never need to worry about images or videos being saved or stored.
Please note that a PainChek® user may capture a profile picture for an individual (i.e. a photo) and those images are stored on the device and transferred to the PainChek® back-end. However, this is an optional feature and an organisation or individual can choose not to record profile pictures in order to comply with their specific organisational policies.
A cached version of PainChek® data is stored on your device to facilitate rapid data access and offline use of the PainChek® application. This data is encrypted on your device, and can be remotely wiped should a device go missing, or otherwise be removed from service.
On iOS devices (running iOS 8 or later), encryption is enabled when you set up a device passcode (that is a passcode that you need to enter to unlock the device).
On Android devices (running Android Gingerbread 2.3 or later) this is achieved by enabling encryption (go to Settings and then Security) and check to see if your device is already encrypted. If not, enable it.
It is also recommended that you have a PIN, password, or pattern on the lock screen to further boost the security. A strong user password (at least 12 characters with a combination of uppercase letters, lowercase letters, numbers, and symbols) is recommended.
It is industry best practice to enable encryption for all devices and it is beneficial not just for PainChek® data, but for all data on your device.
The automated facial assessment process used to determine a patient’s level of pain does not record images or video, nor are images or video stored on the device or transmitted to other systems.
Although the PainChek® application requires access to a device’s camera in order to determine the pain descriptors visible in the face of a patient, the 3-second scan is not recorded and does not leave the device – all facial analysis processing takes place on the device.
Only metadata about the assessments (e.g. the number of pain descriptors visible) and the basic details required to identify the patient (e.g. name, date of birth, gender and pseudonym) leave the device.
PainChek keeps the data in our database, which is hosted using Amazon Web Services S3 storage, leveraging high levels of physical security, redundancy, and reliability.
Once the data is no longer required by a user, PainChek archives the licence and any PII (Personally Identifiable Information) is removed.
Yes, our organisation has a dedicated Information Security Officer. The ISO reports directly to the head of compliance and regulation, thus removing any conflict of interest with the technical team.
The ISO is responsible for:
- Network security auditing
- Vendor risk assessments
- Asset risk assessments
- Maintenance and continual improvement of the ISMS
- Compliance with our security regulations and certification commitments.
- Security training and awareness
For further enquiries about PainChek’s information security protocols, please contact [email protected].
