Login
Support
Login
Support

Security

Ensuring confidentiality, integrity, and availability of data

Our commitment to maintaining the trust of valued customers, employees, and stakeholders is paramount. Since our establishment in 1999, we have recognized the critical importance of safeguarding the confidentiality, integrity, and availability of sensitive data.

As an end-to-end platform enabling omnichannel personalization in life sciences, ekoDNA® was specifically designed with a comprehensive system and processes for securely storing and transmitting proprietary information such as HCP data, and other confidential data.

Oi diligently manages and protects data, building trust through audits and stringent security measures. In this overview, we provide an in-depth look at our robust security program, use of third-party providers, and the privacy and security processes implemented. Committed to privacy and security, we strictly adhere to applicable laws and regulations governing personal information storage and handling. Our security practices are designed to meet industry standards, ensuring the protection of sensitive data.

SafeguardsPractices
OrganizationalProcedural

To ensure the highest level of security, we maintain a meticulously documented information privacy, security, and risk management program. This program encompasses clearly defined roles, responsibilities, policies, and procedures. Our security program adheres to internationally recognized standards, including:
  • ISO 9001:2015 – Quality Management Systems
  • ISO/IEC 27001:2013 – Information Security Management
  • SOC2 Type II – System and Organization Controls
  • SEI Capability Maturity Model Integration (v1.3)
  • IT Infrastructure Library (ITIL) version 4
We consistently review and update our security program to adapt to evolving technology, regulations, laws, industry best practices, and the changing risk landscape.

Security Organization & Management

To effectively manage security, we maintain a dedicated responsibility and accountability structure. This structure enables us to:
  • Coordinate our information security arrangements
  • Provide designated points of contact for addressing information security concerns
  • Continuously monitor the effectiveness of our security measures
  • Maintain approved security standards
Furthermore, we have appointed an information security officer who works closely with business managers, IT staff, users, and other relevant stakeholders to ensure that everyone fulfils their information security responsibilities..
PersonnelRoles & Responsibilities

We establish clear roles and responsibilities for all information processing activities within our organization. This includes the management and control of operational systems, administration and support of communication networks, and the development of new systems. To maintain separation of duties, we distinguish the roles and access rights of computer operators and system administrators from those of network and systems development staff.

In addition, we maintain procedures to:
  • supervise information processing activity
  • minimize the risk of improper activity or errors
  • Conduct thorough screening of applicants for security-sensitive positions
Training

We place great emphasis on role-based security training and security awareness among our employees. Active employees and contractors are required to undergo biennial security awareness training. Additionally, employees in specific roles, such as customer support representatives, developers, and hiring managers, receive more extensive and annual data security training.
Identity & Access ManagementAccess Policy

To maintain secure access to our systems, applications, and associated information, we adhere to well-defined access policies that incorporate the principle of least privileged access. We enforce these policies through automated means, requiring personnel to obtain authorization before gaining system access. We employ secure techniques, such as TLS, SSH, SSL-enabled FTP, or VPN, for command and control functions.

Privileges

We ensure that access mechanisms operate securely and align with established security practices. This includes measures such as password storage in encrypted form and the establishment of heightened control over the issuance of special access privileges. Authorizations that are no longer required are promptly terminated.

Authentication

To verify the identity of authorized users, we employ industry-standard practices for identification and authentication. The level of authentication applied aligns with the associated business risk, with stronger authentication measures used for high-risk users. Additionally, we adhere to industry standards for password management, including periodic password changes. Our sign-on process promotes individual accountability and enforces access disciplines such as suppressing information that could facilitate unauthorized use, disconnecting users after a defined number of unsuccessful sign-on attempts, and periodic password changes.

Access Logs

We maintain comprehensive access logs designed to facilitate the diagnosis of disruptive events and establish individual accountability. These logs undergo periodic reviews to detect signs of unauthorized access or changes.
Security ArchitectureOur organization has developed and implemented a robust security architecture that encompasses our entire information resources. This architecture incorporates a defined set of security mechanisms and supporting standards. Its key features include:
  • Support for information resources with varying levels of protection
  • Enablement of secure information flow within and between technical environments
  • Provision of efficient access for authorized users across different technical environments
  • Capability to revoke access privileges for individual users when they leave or change positions
We maintain an inventory of critical information assets and the applications used to process them. Additionally, we conduct regular information security risk assessments, particularly when there are material changes in our business or technology practices, to ensure the privacy, confidentiality, security, integrity, and availability of data.
Physical and EnvironmentalPhysical Access

To safeguard our equipment and facilities, we work with trusted third-party data center providers who have implemented robust measures. These measures include:

Restricting physical access to authorized personnel
Ensuring the presence of security staff where necessary

Protection from Disruption

Our production environments are equipped with specialized equipment to mitigate the risk of power outages or failures. These measures allow for rapid asset recovery in the event of an outage, protect power, network infrastructure, and critical systems from damage or compromise, and fortify buildings against natural disasters or intentional attacks.  
Network Communications & Systems AssetsFirewalls

We deploy industry-standard firewall technologies and implement procedures to manage firewall rules and changes to these rules. We maintain a clear separation between informational resources used for production purposes and those used for systems development or acceptance testing.

Antivirus/Antimalware Management

To prevent the proliferation of viruses and malicious code, we utilize up-to-date software and related procedures. These controls are applied to internal computing environments used for the development and delivery of our hosted applications.

Acceptable Usage Policy

Our organization has established clear policies and standards governing the use of the Internet across the enterprise. To protect critical systems, including those connected to the Internet, we employ network and host-based intrusion detection services.

Denial of Service

We ensure that our data center infrastructure providers have implemented appropriate countermeasures to protect against denial of service attacks.  

Media Sanitation and Removal

We follow industry-standard processes and utilize advanced technologies to permanently delete data that is no longer needed or authorized.  
EncryptionTo ensure secure data transmission across untrusted networks, we employ industry-standard encrypted transport protocols, with a minimum requirement of Transport Layer Security (TLS) v1.2. Data at rest is encrypted using Advanced Encryption Standard (AES) 256 encryption or equivalent algorithms.  
Vulnerability and Penetration TestingTo identify vulnerabilities and protect our applications, we have implemented comprehensive monitoring systems for applications, databases, networks, and resources. Prior to release, our solutions undergo internal vulnerability testing. We have also developed internal penetration testing systems and conduct vulnerability assessments on our software using automated and manual methods at least once a year. Additionally, we engage third-party security specialists annually to perform vulnerability and penetration testing on our systems. Furthermore, we regularly scan our internet-facing systems for vulnerabilities.  
Business Continuity and Disaster RecoveryTo minimize the risk of business disruptions, our solutions are designed to avoid single points of failure. We maintain formally documented recovery processes that can be activated in the event of significant business disruptions affecting our corporate IT infrastructure and the production infrastructure handling customer data. Regular testing is conducted to verify the effectiveness of these recovery processes. We also employ various disaster recovery measures to minimize data loss in the event of a single data center disaster. Our solutions are architected with redundancy configurations to minimize service interruptions. We continuously monitor our solutions for any indications of failure or potential downtime, taking proactive measures to minimize or prevent such occurrences.  
Incident ResponseIncidents are managed by a dedicated team following a formal incident response policy and process. All personnel are trained to promptly report any security incident. To keep clients informed, we provide access to a dedicated webpage that displays upcoming maintenance downtimes, data center incidents, and security communications.  
Software Development LifecycleWe adhere to industry-standard software development lifecycle processes and controls for the development and modification of our software, including updates, upgrades, and patches. Our process includes secure software development practices, as well as application security analysis and testing.  
SuppliersWe engage third-party data centers, cloud-based services, and other suppliers to support our operations and provide solutions to our customers. To ensure the security of our data, we require these suppliers to enter into downstream agreements with us, such as nondisclosure agreements, data processing agreements, and business associate agreements as applicable. We also conduct risk assessments and require our suppliers to complete data security questionnaires to assess their competency and appropriateness in terms of security. Additionally, we periodically review our suppliers’ security posture based on a risk-based approach.  
CertificationISO (International Organization for Standardization) 27001

We are in the process of obtaining ISO 27001 certification, which involves annual audits by accredited third-party certification bodies to assess compliance with ISO 27001 and ISO 27018 controls. ISO 27001 is a globally recognized security standard that provides guidelines for policies and controls to secure data. It focuses on the systematic development, deployment, and management of a risk/threat-based information security management system. ISO 27018 is an international code of practice that emphasizes privacy controls for cloud providers.  

In conclusion, our commitment to maintaining the confidentiality, integrity, and availability of data is evident through our comprehensive security program. We adhere to industry standards, implement robust organizational and procedural safeguards, and engage in ongoing monitoring, training, and testing to ensure the effectiveness of our security measures. Through these efforts, we strive to earn and maintain the trust of our customers, employees, and stakeholders.

Contact us