Secure by Design
A change management policy governs every change and modification in the application and ensures their authorization before implementation. We strictly follow secure coding guidelines, as well as the screening of code changes for potential security issues with our code analyzer tools, vulnerability scanners, and manual review processes under our Software Development Life Cycle (SDLC). Our robust security framework, implemented in the application layer, provides functionalities to mitigate threats such as Structured Query Language (SQL) injection, Cross-site scripting and application layer Denial of Service (DOS) attacks.
Data Isolation
We distribute and maintain separate cloud space for our customers. Each user's data is logically separated from other users' data using the separate databases / instances on AWS. This ensures that no customer's data becomes accessible to another user. The service data is stored on AWS servers. User data is owned by users, and not by CloudLIMS. We do not share user data with any third-party.
Encryption
In Transit: Strong encryption protocols protect all user data transmitted to our servers over public networks. We mandate all connections to our servers to use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections, including web access, API access, and IMAP/POP/SMTP email client access. A secure connection is ensured with authentication of both parties involved in the connection and data encryption. TLS encrypts and delivers pages, data, email securely, mitigating eavesdropping / hacking between servers. We have also enabled HTTP Strict Transport Security (HSTS) header to all our web connections.
Therefore, all modern browsers can only connect to us over an encrypted connection.
At Rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). We own and maintain the keys provided by AWS Key Management Service (KMS).
System Validations
Whenever we provide an upgrade or a patch release, we revalidate the system in-house using our standard operating procedures (SOPs) and thorough testing. Additionally, whenever we release an upgrade, we keep our customers informed about the changes made to the system.
Secured CloudLIMS API
Secured CloudLIMS API access via combination of tokens / access keys and secret key.
Audit Trail
CloudLIMS complies with US Food and Drug Administration’s (FDA) 21 CFR Part 11guidelines. Any activity performed on any records is tracked with user name, original value, current value, module name and along with a data and time stamp. These records can be exported in MS Excel or PDF file formats.
Data Retention and Disposal
We hold the customer data as long as you choose to use CloudLIMS’ services. Once you terminate your service agreement with CloudLIMS, your data is deleted from the active database after 30 days.