Data Standards

SUMMA, INC.

Data Standards

Last Revised: March 30, 2020

Summa System Architecture

    • The Summa System is hosted by Microsoft Azure
    • The Summa System includes the Summa Mobile API, Summa Web API, Summa Virtual Machine, and Summa Database
    • Within the database, there are 3 tables
      • User – Stores mobile app registration information like name, phone number, email address
      • Wearables – Stores wearables data collected during projects with de-identified generator codes only
      • Surveys – Stores survey response data collected during projects with de-identified generator codes only

 

De-Identification, HIPAA, GDPR.

When research participants respond to survey questions, their response data is stored in the Summa server in the ‘Surveys’ table using an entity-relationship model that links participant response data to their anonymous Summa generator code

To secure health-related data from various wearables (Apple, Fitbit, etc.) the Summa System integrates with a wrapper application programming interface (API) from Validic, Inc. The Validic API is ISO 27001 certified, managed by Amazon Web Services, SAS 70 Type II certified, SSAE16 (“SOC 2”)/HIPAA/HITRUST Compliant and features proximity security badge access and digital security video surveillance. The server can only be accessed via two-factor authentication over secure channels, and runs monthly AWS Inspector Vulnerability Assessments. All access to the web portal is secured over HTTPS with AES-256 encryption. All Validic staff with access to Client Data are HIPAA Privacy Associate certified. 

The data the Summa System receives from wearables via the Validic API is de-identified upon arrival under the HIPAA “Safe Harbor” standard. Wearables data is stored in the Summa server in the ‘Wearables’ table using an entity-relationship model that links participant wearable data to their anonymous Summa generator code.

For more information, please see Validic’s privacy policy and data security policy

 

Project Data File

When a researcher chooses to ‘download’ a project file, the Summa System executes a query that uses the ‘Surveys’ and ‘Wearables’ tables to collate participant data with only their anonymous Summa generator code. No information from the ‘Users’ table is shared with the researcher during project file download.

What this means is that no personally identifiable data is available for download by the researcher (i.e.,’Data Consumer’). Researchers only receive anonymous generator codes, survey responses, and wearables data.

This ‘test project file’ shows an example of what a researcher receives when they download project data using the Summa System. This file includes ‘fake’ data made internally for purposes of demonstration. 

 

Summa Privacy and Terms & Conditions

Privacy Policy – www.WeAreSumma.com/Privacy

Terms & Conditions – www.WeAreSumma.com/Terms

  • Personal Information. At this point in time, the Summa System collects email address, first name, middle name, last name, telephone number, address, and zip code during mobile app registration. This information is stored in the ‘Users’ table on the Summa server. 
  • Non-Personal Information. These are data where Summa is not aware of the identity of the user. For avoidance of doubt, any Non-Personal Information connected or linked to Personal Information is deemed as Personal Information

Summa does not share Personal Information with third parties unless there are extenuating circumstances as outlined by the Summa Privacy Policy. 

 

Security and Privacy Controls

  • Mobile App User (‘Data Generator’ ie., ‘Study Participant’). 
    • Mobile app user is given access to the privacy policy and terms & conditions prior to app registration.
    • Mobile app user must use a one-time password during registration by entering their phone number and entering the code they receive via SMS.
    • Mobile app user must create security questions during registration to facilitate password recovery.
    • Mobile app user haas the option to reset their password via email at any time. 
    • Mobile app user is presented with Institutional Review Board (IRB) informed consent materials prior to enrolling in a project using the Summa System mobile application.
    • Mobile app user is presented with information about the project during project enrollment, and must select I Agree when enrolling prior to any data being shared.
    • Mobile app user must consent to wearables data sharing by connecting their wearable via third party authentication (TPA).
    • Mobile app user may disconnect any wearable device at any time from the Summa System to stop data sharing.
    • Mobile app user may stop responding to survey questions at any time to stop survey data sharing.
    • Mobile app dashboard does not display project data like survey responses or wearables data.
    • Mobile app user can request account termination via email by contacting Info@WeAreSumma.com. Account termination is performed within 48 hours and includes a complete wipe of the mobile app user’s data.

 

  • Web App User (‘Data Consumer’ ie., ‘Researcher’)
    • Web app user cannot get access to the Summa System web application unless they are added directly by Summa.
      • Before adding a web app user, Summa confirms that the web app user is affiliated with an accredited higher education organization and is in good standing with the organization
    • When there are multiple users at an organization, Summa assigns one web app user as the organization administrator of the Summa System. The organization administrator can create new web app user accounts for other researchers at the organization.
    • Web app user has the option to reset their password at any time. Additionally, the organization administrator can reset web app user account passwords for users affiliated with their organization.
      • The organization administrator also has the option of deleting a web app user account for users affiliated with their organization.
    • Web app user will time out of the web application if they leave their screen idle for a short period of time. The web app user will have to log back in with their email address and password to regain access to the web application. 
    • The web app is only accessible via HTTPS, ensuring login and data downloads occur with secure protocols. 

Web app user does not have access to personally identifying information from mobile app users. Project data files only contain anonymous generator codes, survey response data, and wearables data. See here for a test project file.

 

Contact Information

If you have any questions (or comments) concerning the data standards, you are most welcome to send us an e-mail to the following address, and we will make an effort to reply within a reasonable time frame: Info@WeAreSumma.com.