Computerized systems and IT security

General: Information is stored in European data centers to comply with GDPR and additionally the following certifications apply 

PCI DSS, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701, ISO/IEC 5001, BSI-C5, SOC 1 TYPE II und SOC 2 TYPE II, CSA-STAR, HDI

System function: Cloud-based multi-core Linux-Servers with RAID-Storage are used. Server provides transfer and data storage functionality.

System security: The computerized systems are in an environmentally controlled area, in a security controlled and certified datacenter in Europe.

Virus protection & detection: Server is protected with Sophos Antivirus for Linux. Mobile and Desktop Clients accessing the infrastructure are secured by Bitdefender Security Software.

Datacenters: Separate sources of energy power for all the data centers. Generators (with an autonomy of 24 to 48 hours) are deployed at all sites to take over in case of failure of the main energy sources or failure of redundancy. To start the generators, UPS systems provide uninterruptible power supply.

Network access of all data centers is based on the deployment of a fully redundant proprietary global network. Two separate network flows connect each data center to this global network.

Detection systems are integrated into the global monitoring system of the data centers. A dedicated security team is therefore present in each of our data centers, supported by an HSE (Hygiene Safety Environment) team, made up of engineers and senior technicians, who guarantee compliance with the regulations applicable to industrial activities and standards: international organizations in the field of health, safety at work and the environment.

Access control: Only authorized personnel is allowed to access the cloud infrastructure secured by highest standards with strong passwords, multifactor authentication and public key authentication with private SSH key pairs. Auditing of server access is logged and monitored in a shared responsibility environment.

Back-up storage: Daily incremental backups are stored encrypted on backup cloud servers located in other geographical regions. Additionally, there are frequent encrypted off-site/offline back-ups located in secured office spaces to protect against ransomware attacks

Database archiving/administration: The electronic records are stored on the servers RAID while they are in use. For data administration of imaging and electrophysiological data as well as related meta data (quality parameters, sociodemographic and clinical data) the informatics platform XNAT is used. XNAT is an open-source imaging informatics platform. XNAT´s core functions manage importing, archiving, processing and securely distributing imaging, electrophysiological and related study data (http://www.xnat.org/). For clinical trial management: XNAT CR — is 21 CFR Part 11 compliant and tuned to the needs of FDA clinical trials.

Alternatively, selfhosted physical servers colocated in ISO 27001 secured datacenters can be used for data storage and administration.