Security Governance

1. Infrastructure & Data Centers

Clario is hosted with some of the largest data center providers, including Amazon Web Services (AWS), Azure, and Equinix. Access to these data centers is strictly controlled and monitored by 24/7 onsite security staff, biometric scanning, and video surveillance. AWS, Azure and Equinix maintain multiple certifications for their data centers, including ISO 27001, PCI DSS, Cloud Security Alliance Controls, and SOC reports. Formal audits on each of our infrastructure providers are undertaken on an annual basis. For more information about their publicly available certifications and compliance standards, please visit the Security websites and Compliance websites of each of the aforementioned providers.

All services that make up the Clario ecosystem are highly-available. We use a combination of clustering, load-balancing, and replication in order to ensure that there are no single points of failure in the system. Each of our regions makes use of two or more availability zones, with redundancy across them. Annual disaster recovery testing is documented for each service line and results are available to view in an audit context.

Clario’s defense-in-depth posture includes the use of multiple solutions that in concert ensure that our ecosystem meets the appropriate regulatory and security standards. Clinical and corporate workloads run in separate, distinct infrastructures. In the clinical domain, applications are protected by Intrusion Detection Systems / Intrusion Protection Systems (IDS / IPS) network sensors, Firewalls, Load Balancers, Web Application Firewalls, and Endpoint Security systems. In combination, these solutions work to protect us from malware, Denial-of-Service (DOS) events, and unauthorized access.

Clario’s Cloud environment is governed by Clario’s Cloud Management Standard Operating Procedure (SOP). This SOP provides an overview of how the Cloud is utilized as a service provider for the business.

2. Patching Policy

All of Clario’s production servers run with the latest security patches provided by their operating system vendors. Security Patches are applied at regular intervals. Critical patches are applied as soon as they have passed regression testing and are available to release. Systems are classified according to their quantified risk score. Patching priority is given to the systems that are classified with the highest score, ensuring that vulnerabilities are managed appropriately across the business. Clario’s Patch Management process is governed by the Clario Patch Management standard operating procedure (SOP). This SOP describes an overview of how Clario teams are notified of security upgrades, as well as the process to apply security patches to in-scope systems.

3. Penetration Tests & Vulnerability Scanning

Vulnerability scans run continuously across the Clario network, checking for any incidence where systems require patch management. In addition to these vulnerability scans, Clario is contracted with an external company that performs a network-wide Penetration Test annually. Depending on the findings and observed risk level, Clario’s Chief Information Security Officer (CISO) will prioritize remediation or process correction, thereby ensuring that acceptable security standards are met. Our process states the necessity for immediate correction of high risk, remotely exploitable exposures where such exploit is published within the Common Vulnerability Exposures (CVE) or where a firewall or application has unnecessary ports exposed to the internet. Such high-risk exploits or exposures are infrequently found within the network at Clario.

Low risk exploits are tasked for remediation around scheduled data center maintenance windows. On occasion, Clario will conduct unscheduled vulnerability scans of the network especially during changes to network or firewall infrastructure (before and after infrastructure change).

Clario’s process for penetration tests and vulnerability scans is governed by the Security Management SOP. This SOP provides an overview of how these processes are performed. Vulnerability reports are considered confidential and are not shared outside the IT department.

4. Encryption

Encryption In Transit

Clario supports full encryption in transit for all outbound data transfers. No un-encrypted data leaves our data center. All our monitoring and backend systems use transport-level encryption when communicating with internal systems. Modern Transport Layer Security (TLS) ciphers are used for all communication from Clario to the rest of the internet.

Encryption At Rest

Clario encrypts customer data at rest by default for all enabled devices and protocols. Customer data is isolated and maintained separately from corporate data, requiring additional authentication and authorization in order to access.

Clario’s Encryption Policy is governed by our Security Management SOP. This SOP governs how Clario encrypts data across products and services.

5. Monitoring

Clario’s ecosystem of products and services is extensively monitored for security events, potential malware, and anomalous traffic patterns. Our Security Information and Event Management (SIEM) platform uses a centralized logging system which ingests logs from across our infrastructure including network sensors, network appliances, servers, devices, and email. In tandem, our application performance monitoring and user session activity monitoring platform is distinguished from the monitoring of our infrastructure, facilitating the speedy triage of observed events between operational, infrastructure, and security teams. In the event of an incident, all log sources are aggregated for deep inspection and analysis through a team effort coordinated through a designated War Room. Clario currently staffs a 24/7/365 Security Operations Center that participates in the monitoring, investigation, resolution, reporting, and traceability of any perceived threats.

Clario’s monitoring platform is outlined in greater detail in the IT Security Management and IT Incident Management SOPs. These SOPs govern how Clario addresses concerns raised by our monitoring systems.

6. User Access

User access management is tightly governed across our corporate, clinical, and management systems with respect to the Principle of Least Privilege. In order to access Clinical Applications, users must be registered with our Identity Governance and Customer Identity Access Management system by an authorized individual who is responsible for assigning the correct role and associated permissions. These systems are audited on a quarterly basis, via a request for re-certification of end user credentials.

In the clinical domain, Clario employees use dedicated accounts with enforced Multi-Factor Authentication. System access is limited to those users who are active in our systems and are communicating over our Virtual Private Network (VPN). Our password policy is enforced across all clinical, corporate, as well as management accounts. Dedicated accounts with specific roles are configured for database administrators, general administrators, and technical support staff. Privileged accounts are enrolled in our Privileged Access Management system, and activities undertaken in these contexts are monitored, audited, and recorded.

User Access in Clario is governed by the Clario Access Management SOP. Privileged accounts are tightly governed by our Access Management SOP that defines Privileged Access Management and our associated audit procedures. These SOPs, and the term “Employee”, apply to all members of Clario, employed either permanently or by contract.

7. Backup

Clario runs a nightly backup of files, databases, configurations, and servers. Incremental daily differential backups, as well as full scheduled weekly backups, are maintained by the Data Center Management team. Backups are encrypted and are stored offsite in a separate physical location. Backup tapes are encrypted using the backup software’s proprietary encryption process (AES 256); wherein random keys are created for each backup file, with the key stored in a secure vault accessed through Active Directory.

As a SaaS provider, our backup strategy is reviewed regularly for potential enhancements. Complete media recovery tests are performed from a randomly selected offsite backup on an annual basis. A formal network-wide disaster recovery plan is in place as well as a product-specific Business Continuity Plan (BCP), which are both tested in a scheduled Incident Response scenario annually.

Clario’s Backup policy is governed by the IT Service Continuity Management SOP.

8. Incident Management and Reporting

Clario has an incident management and reporting process in place that enables unified security monitoring and protection across our environments. In the event of an incident, all log sources are aggregated for deep inspection and analysis through a team effort coordinated through a designated War Room. Clario staffs a 24/7/365 Security Operations Center (SOC) that participates in the monitoring, investigation, resolution, reporting, and traceability of any perceived threats.

In the event of a Security Incident that impacts customer data, a Core Security Incident Response Team (CSIRT) is established in order to facilitate information sharing. This team is composed of Communications, Legal, Technical, and Executive professionals who guide our sponsors and customers through any external reporting or regulatory reporting requirements.

The IT Incident Management SOP describes the procedure followed to record and manage Clario incidents and associated tickets. IT Event Management SWI describes the reporting process.

9. Development

Security-by-Design and Privacy-by-Design paradigms are inherent within our software development practice. These methodologies ensure that our products and services maintain only pseudonymized information, inclusive of only the specific information that is required to complete the designed purpose of the solution. Access, Authentication, Authorization, Audit, and Data Protection are audited as part of each software release cycle, or on an annual basis for legacy product lines. Regulatory requirements such as GDPR, CCPA, FDA 21 CFR Part 11 Compliance, and GXP form the body of our Non-Functional Requirements library that is adhered to by all product lines.

Clario maintains separate testing, development, and production environments to ensure that the highest code quality is met. Standards include code reviews and peer programming conducted by experienced developers with a strong focus on security and stability. In addition, we run automated tests that scan for security vulnerabilities in each of our code builds. Our hosted code platform enables us to reach a high level of traceability and automatically monitor our third-party dependencies for security vulnerabilities. Static Application Security Testing, Dynamic Application Security Testing, and Interactive Application Security Testing is completed prior to each release as part of our Security Audit process, culminating in a documented Security Impact Assessment and Data Privacy Impact Assessment prior to code release authorization.

Clario’s software development processes are governed by Clario’s Security Policy and Clario Privacy Policy, Clario’s SOP for Product Lifecycle and Clario’s SOP for Development Lifecycle. The SOP outlines the development lifecycle for all software development projects involving new product or service developments. The policy establishes the process for defining, creating, and deploying products at Clario.

10. Data Sovereignty

Clario enterprise customers have the option of hosting their data in one of the following regions: United States or Germany. Further regions may be available if requested; ask your sales representative if you require hosting in a specific region for data sovereignty or legal purposes.

Clario uses a worldwide Content Delivery Network (CDN) for caching, which results in application speed being the same everywhere in the world.

Clario’s Privacy and Integrity Policy along with applicable data privacy laws and regulations govern our process for ensuring Data Privacy and Data Sovereignty across the company.