Yes, we are compliant with all EU privacy & security directives, regulations and guidelines, which include:
EU Privacy Directives and General Data Protection Regulation;
EU Cybersecurity Directive affecting health and sensitive data;
Guidelines and opinions of the EU Data Protection Board (formerly Article 29 Working Party) for health and sensitive data management and app development;
ENISA (European Network and Information Security Agency) state of the art security recommendations;
OWASP state of the art security recommendations and security tests;
All other relevant EU legislation in the areas of security, privacy, and health.
In addition, since the healthcare regulatory framework is evolving fast, we constantly monitor changes at EU and Member State levels.
ChOUr Terms and Conditions explicitly state what our liabilities are regarding health and sensitive data management under EU laws.
Every EU Member State must comply with the EU Data Protection Directives and Regulations. However, these specify minimum standards. Some Member States apply stricter rules e.g. requiring that all data is stored within that specific country.
We have worked With international legal experts and lawyers to analyse all these requirements across the different EU Member States and to check that we are compliant. As a result, our service implements all the state of the art security safeguards, that satisfy the requirements of every Member State.
If you have a specific legal issue, do not hesitate to contact us.
At present, there is no formal cerfification to demonstrate compliance with EU rules like the GDPR. Therefore, we are unable to offer you any certification services (and any company that claims they can is misleading you).
There are certifications regarding adherence to security and privacy standards in general like ISO 27001, 2018, etc. However, none of these certifications are mandatory for bodies managing health data in EU (neither for you nor for us). Although these are not obligatory, we hold all relevant certifications including ISO 9001, ISO 13485 and ISO 27001. This makes it easier for you to use our services if your software falls under the new MDR (medical device regulation).
The EU General Data Protection Regulation states that every business delivering services to EU citizens and collecting their data must comply with EU data protection laws. This means that many non-EU companies have to comply with GDPR.
One of the main aims of our service is to simplify your work while increasing overall security. As a result, we take care of all encryption and decryption of your data (at the record level). This means that our system has access to your data for a brief fraction of time when it receives the data before encrypting and storing it safely. Unencrypted data is only available in memory, and it is never saved or transferred unencrypted.
Our employees cannot access your data in any way. The encryption keys are managed by the server and we do not have access to, or know the keys used for encrypting your data.
This approach increases overall security, because client-side encryption is very challenging and risky. For example, encrypting data locally limits its usage (e.g. search operations) on server side and poses risks when you implement key and data sharing. In addition, you need to implement proper key storage and sharing, avoid key loss and implement data recovery functions. This is just one part of the list of guarantees that you would need to consider if you want to implement encryption on your device or server.
Instead, with our API you can transfer data securely to our system and we take the liability to encrypt and protect them properly according to the current EU laws and best standards. We are always up to date.
The Chino.io team can provide you with guidelines and advice on what you have to/must do (e.g. where to start with privacy requirements, privacy policies, terms & conditions, consents, DPIA and so on).
However, we always suggest our customers also speak to their own lawyers when dealing with sensitive data. Each project has its own privacy and data processing peculiarities, that are not necessarily related to the technology (e.g. identifying roles and liabilities among people accessing health data).
If needed, we can also introduce you to lawyers and experts in each Member State who are working with health and sensitive data management.
Every time your app stores or retrieves some data, or a user logs in or out, your app performs one or many API calls.
We count only authenticated calls. Unauthorized calls are not counted but wrong calls (i.e., incorrect formats) are counted.
The number of calls that you need depends on many factors including your implementation, the number of users, the sort of data you store, how often this data needs to be accessed, etc.
You can calculate it by counting how many operations over data you need to perform per each user session. Then you add a couple of calls for login operations.
You can always monitor API usage on the Chino.io Console.
Yes, our REST API can be used to store any kind of structured data (JSON) or large binary attachments (blobs).
We count 1 byte for every char in the document body (we do not count document metadata, only the content). This means that the Divina Commedia (which has 408.476 chars, space excluded) can be stored in ~500 KB. You can store it up to 2000 times.
If you store blobs, then keep reading.
We count the byte size of the attachment you send. The Divina Commedia has ~700 pages. If we assume that a scanned page is ~500KB, the whole book is 350MB. In 10GB you can store 35 scanned copies.
Each blob can be up to 1 Gigabyte. You can upload blob documents by using our chunked upload function. You can decide the chunk size based on your device capabilities and network reliability (remember, each chunk must be transferred within an https call).
For security reasons we normally limit the number of users to 100,000. If you need more, just contact us.
For security reasons we limit the number of repositories to 1,000. If you need more, just contact us.
For security reasons we limit the number of schemas to 1,000. If you need more, just contact us.
Yes. You just need to update your personal and billing data on the Chino.io Console.
You can grant access to the API to other people in 2 ways:
If you want to give admin access to someone you just need to generate another Customer Key and share it with whom you wish. Once you are done, you can delete/invalidate that Key.
If you want to give access to someone only for specific repositories/schemas/documents through the API, you can create a User and setup Access Control policies for him.
Yes, this is one of our custom deployment options. Since it requires a dedicated instance and dedicated management of the installation and monitoring, the pricing is provided ad-hoc, based on your needs. Just contact us for more details!
Yes, this is one of our custom deployment options. Since it requires a dedicated instance and dedicated management of the installation and monitoring, the pricing is provided ad-hoc based on your needs. Just contact us for more details!
We apply many security measures, and some of them are not publicly disclosed. Among other things:
We always use HTTPS for data transfers;
We encrypt all stored documents and blobs (AES-256);
Each user has his/her own encryption keys, which are stored separately;
Firewalls and other techniques block unauthorised calls and brute force attacks;
Monitoring systems detect unusual behaviour;
But most importantly, we are working hard every day to improve our system, increase security, update libraries and protect your data.
Yes. We do daily backups of all data.
Yes, Chino.io does its best to guarantee the highest level of service uptime of at least 99.9%. In case of incidents Chino.io clearly states ranges for reimbursements:
API service availability
From 98.0 to 99.9
From 95.0 to 98.0
Less than 95.0
For more details Contact us.
You can test the Chino.io Sandbox for six months, uploading and downloading a maximum 10.000 documents without exceeding 1GB of space. Please read our Terms and Conditions for more details.
The Chino.io Sandbox is a testing and development platform, where we also do some tests. Therefore, although it is very similar to the production environment in terms of security, we can't provide guarantees about uptime and liabilities. Please read our Terms and Conditions for more details.
Yes, definitely. We can make a custom plan based on your API calls and storage needs. Just contact us to talk about your needs.
If you need a special service configuration, please contact us.
If you are a B2B and you have, for example, a platform that wants to integrate Chino.io and wants to re-sell it as part of your solution, then you can. You just need a special "Ad-hoc" account that allows you to programmatically create accounts and manage them. Contact us for more details.
The billing period can be monthly or yearly. Each billing period starts on the 1st day of the month. If you start in the middle of a month you will be charged pro-rata for the service.
Just contact us, we will help you in downloading your data in bulk. You can also download the data using our API.
For billing details, please check our Terms and Conditions.
You will be notified and you will need to provide an alternative method of payment as soon as possible. Please read our Terms and Conditions for more details.
We support credit cards, PayPal or bank transfers.
VAT is calculated according to EU standard rules.
You can always contact us. We will be happy to answer your questions.
If you find a security issue or a system bug, please email us immediately at email@example.com. Please do not share it on forums, social networks or in any other communication method.
Yes, you can always contact us at our phone number +39 0282950319. However, if you need extensive support via phone or in-house at your working place, this can be arranged by modifying your subscription plan. Currently, we offer technical assistance by email according to our Terms and Conditions.
Chino.io was born as an acronym within a research project standing for “Cloud Health INtOperability”. Although the project was a different one, we kept the same acronym mainly because our mission and vision didn’t change. Although the methods did.
The “.io” is currently used by technology startups to indicate services related to API, interactions, exchanges and in general with “input-output” (abbreviated I-O).