Security and Data Privacy are at the heart of our business, and a Code of Ethics stating our commitments to the highest standards defines these guiding principles at the core of our offering. Below, we’ve provided an overview of the measures we take to secure your data.
Integrity and assurance are the key attributes of everything we do at Clario. We are committed to protecting our customers’ data above all else, with teams that operate 24x7x365 to ensure that safeguards are continuously monitored and upheld.
Clario is secured according to the most recent standards in order to protect your data. GDPR, HIPAA and ISO 9001 standards accreditation are completed on an annual basis.
We are actively pursuing our certification to ISO 27001 (Standards for Information Security Assurance), the standard that describes how Information Security should be organized in a process-based manner, allowing security risk to be rationalized alongside general business risks throughout the organization. Continuous compliance and validated audit controls form the basis of this comprehensive security governance program. Contact us if you’d like to learn more.
Security of Clario Accounts
- Users have individual accounts and strong passwords are required. Users are locked out of their account after a small number of failed login attempts to prevent brute forcing.
- Sessions automatically time out after 10 minutes of inactivity.
- A second level of access controls to data is determined by the study and/or site administrator. This is done by assigning roles to users on an organization, study or site level.
- Site administrators can enforce additional security policies, such as mandatory two-factor authentication or regular password rotation on top of the primary security policy set at the enterprise level.
- All unauthorized access is denied by default, preventing unauthorized access to data by other researchers or sites.
Security of the servers
- Clario applications run on fully managed virtual private servers, with providers in the following regions:
- USA: AWS, Azure, Equinix
- United Kingdom, EU, and Australia: AWS, Azure
- All hosting platforms are certified for or compliant with relevant certifications (ISO27001, ISO9001) and/or national or international standards (HIPAA, NEN7510).
- Our servers are patched with security updates on a weekly basis depending on the environment. Critical updates are applied regularly to mitigate potential security vulnerabilities.
- Access to data centers is restricted to authorized personnel only. Locations are protected by digital surveillance equipment.
- Backups are made daily and stored encrypted within a different physical location to ensure maximum security and continuity.
Security of Clario as an Enterprise
- All of Clario’s applications run on security-hardened servers with only necessary services and ports open to the outside world.
- Web traffic is only permitted using modern, industry standard encryption, and all uses of cryptography are regularly reviewed.
- Network security groups and firewalls ensure that no unauthorized connections can be made to any of our servers.
- Database servers and other data stores are never directly accessible from the public Internet in order to prevent external attacks.
- In addition to our default encryption of data at rest and in transit, certified to FIPS-140-2 standards, Clario continuously monitors all infrastructure for host and network based intrusions for immediate resolution.
General application security principles
- Application code uses modern techniques to minimize the risk of SQL injection, cross site scripting (XSS) and other common attacks noted in the OWASP SAMM.
- Immutable audit logs provide a fine-grained overview of data access and modifications.
- Data is encrypted at rest and in transit.
- Regular Penetration Tests ensure our application and infrastructure security is always up to date. Potential vulnerabilities can be reported via our Responsible Disclosure program.
Organizational and Personnel security
- Access to the office is restricted via personal, digital key tags. Visitors have to be accompanied at all times.
- All laptops, phones and other devices used by employees and contractors are fully encrypted.
- Laptops are protected with endpoint security, including anti-virus and anti-malware.
- Passwords and other digital credentials are securely stored within a corporate password manager and access to critical systems requires Multi-Factor Authentication (MFA).
- All employees and contractors attend a security training at least twice a year and undergo regular security awareness campaigns to promote additional awareness and diligence.
Our Secure Development Life Cycle Policy describes the entire software development lifecycle and all the measures we take to ensure the best possible security. This includes our security non-functional requirements, secure architecture reviews, data minimization audits, SAST and DAST-enabled release cycles, feature and bugfix procedures, secure code review requirements and QA processes. Security Impact Assessments are the artifacts delivered prior to product release as part of our Secure the Product program, ensuring compliance with regulatory requirements.
You can contribute to the security of your data. We advise everyone not to store personally-identifiable information (names, social security numbers, date of birth, etc.) within Clario, and confirm that only de-identified data is shared in any communications.