Security and Privacy
Yellow XR complies with the security and privacy requirements of the healthcare industry.
​
Protected Health Information Protection
-
Yellow XR does not record audio calls or store chat messages at any time, for any reason.
-
For video and audio communication, we employ the open-standard WebRTC protocol with NIST-approved AES 128-bit encryption, ensuring secure point-to-point connections.
-
All data stored at rest on our file servers is protected using full-disk encryption and AES 256-bit standard encryption, with secure backups in place.
-
Access to the Yellow XR interface, including the dashboard, waiting room, and public webpages, is secured with TLS 1.2+ (HTTPS) to ensure encrypted transmission of information.
​
Technical and Physical Security Controls
-
All Yellow XR data is securely stored within the Google Cloud Platform (GCP) data centers, which adhere to industry standard infrastructure designs. To ensure platform uptime and availability, Yellow XR’s support system, help center, and public-facing website operate as independent services. For details on GCP’s current security accreditations, refer to the Cloud Compliance Resource Center page.
-
Access to database servers is restricted to a select group of senior administrators and developers. All code changes must undergo approval from multiple parties and pass automated testing before deployment. Employee access to provider-level data is granted strictly on a need-to-know basis to fulfill job responsibilities.
-
Provider passwords are stored using one-way cryptographic hashing functions, ensuring that even Yellow XR staff and developers cannot view them. Patients do not have accounts.
-
Providers on any subscription plan, including the Free plan, can implement multi-factor authentication (MFA) through "Log in with Google." Clinic plan subscribers have the option to integrate their own LDAP using SAML authentication with Yellow XR.
-
Yellow XR does not rely on proprietary audio technology or applications. Instead, our platform is built on the open-source WebRTC standard, the same real-time communication system used by leading telemedicine provider doxy.me.
​
Overall Security Practices
-
Yellow XR is a therapy platform designed for installation on VR headsets and computers, ensuring an optimal and fully immersive therapy experience. Unlike browser-based solutions, our software leverages advanced VR technology to provide enhanced therapeutic interactions. Patients, clients, and providers must download and install Yellow XR on their respective devices to access its features. While Yellow XR operates independently on the installed system, it does not have direct access to a user’s personal files or other applications. To maintain the best possible experience, users should keep their software and operating systems up to date. If an update is required, users will be notified and may need to complete the update before continuing use.
-
As new vulnerabilities are discovered daily, Yellow XR has a robust security program in place to detect and remediate potential threats. While we do not comment on specific vulnerabilities, we maintain backup and disaster recovery policies and procedures to ensure continued platform security and availability.
​
Third-Party Vendor and Service Provider Security
-
Yellow XR partners with Stripe for payment processing. Stripe is certified as a PCI Level 1 Service Provider, ensuring the highest level of payment security. Yellow XR does not have access to customers’ credit card data.
HIPAA/HITECH Compliance Responsibilities
To maintain compliance with HIPAA and HITECH regulations, users of Yellow XR must adhere to the following security practices:
-
Sign the Business Associate Agreement (BAA) available within your account dashboard.
-
Do not share your login email or password with other providers.
-
Use strong, unique passwords and avoid reusing old passwords that may have been compromised. Utilize the password strength indicator to ensure complexity.
-
Keep your browser and operating system updated to maintain security and ensure the platform functions as intended.
-
Install and maintain antivirus and firewall software suited to your compliance and security needs.
-
Properly authenticate patients before exchanging sensitive information. This may involve verifying a patient’s identification or cross-referencing information on file. Since Yellow XR does not store patient data, providers are responsible for verifying their clients.
User Data and Anonymity
-
Yellow XR values the privacy of its users, including patients/clients and providers. In our efforts to support anonymity for VR users, we do not require personally identifiable information (PII) for patients/clients accessing the platform via VR. Instead, we implement a real-time, randomly generated passcode system to allow patients to securely join therapy sessions. This passcode ensures that patients can participate without needing to reveal their personal identity, allowing for greater confidentiality and privacy in their therapy sessions.
-
Providers are responsible for verifying the identity of their patients before exchanging sensitive information. Since Yellow XR does not store patient data, this responsibility lies with the provider to authenticate the patient at the start of each session.
​
​
If you have any questions, please contact our support team.