Information Security Policy
• Information Security
• Security Incident Response
• Vulnerability Management
• Policy Management and Maintenance
• Data Request
• System Access
• Business continuance and disaster recovery
As part of our data protection compliance process, we have implemented technical, physical and administrative security measures to protect our customers’ and customer’s users’ Personal Data as explained below.
Physical Access Control
The Company ensures the protection of the data servers which store the Personal Data for the Company from unwanted physical access. The data processed by the Company are stored in AWS US data servers. The Company also secures physical access to its offices by ensuring that only authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access the Company’s offices by using security locks and an alarm system, amongst other measures as well.
System Control
Access to the Company’s database is highly restricted to ensure that only the relevant personnel who have received prior approval can access the database. The Company has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. In addition to password login, two-factor authentication (“2FA”) provides an added layer of security to Company’s database. The Company is using automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.
Data Access Control
User authentication measures have been put in place to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred, or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and username, which is routinely changed, as well as blocked when applicable. Each employee can perform actions solely in accordance with the permissions granted to him by the Company. Furthermore, the Company conducts ongoing reviews of the employees who have been given authorization to access Personal Data, to assess whether such access is still required. The Company revokes access to Personal Data immediately upon termination of employment. Authorized individuals can only access Personal Data that are in their individual profiles.
Log Management
BIScience has implemented a central read-only log repository which provides easy search and alerting capabilities. All actions in the BIScience system are logged and log data is being reviewed on a regular basis. BIScience does not allow customers to access logs. However, in case of a court order or official investigation, BIScience will provide the required information.
Organizational and Operational Security
The Company puts a lot of effort and invests a lot of resources into ensuring that the Company’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. The Company strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, the Company has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable Company hardware and software, to protect against malicious software.
Transfer Control
All transfers of Personal Data between the client, the Company’s service providers and the Company’s servers are protected using encryption safeguards, including the encryption of the Personal Data prior to the transfer of any Personal Data. The Company’s servers are protected by industry best standards. In addition, to the extent applicable, the Company’s business partners execute an applicable Data Processing Agreement, all in accordance with applicable laws. The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified, or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. Further, all transfers of the data (either between the servers, from client side to server side and between Company’s designated partners) is secured (HTTPS) and encrypted. Default encryption is implemented in transit and rest.
Availability Control
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident were implemented by the Company and include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred. The Company has also implemented Business Continuity plans and Disaster Recovery policies so that in the event of a disaster the Company will be able to continue to provide the services.
Data Retention
Personal Data is retained for as long as needed for us to provide our services or as required under applicable laws.
Job Control
All Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company implements certain repercussions to ensure compliance with the Company’s policies. In addition, prior to the Company’s engagement with third party contractors, the Company undertakes diligence reviews of such third-party contractors. The Company agrees with third party contractors on effective rights of control with respect to any Personal Data processed on behalf of the Company. The Company ensures that it enters into data protection agreements with all its clients and service providers.
Software Development Life Cycle
Software development and change management at BIScience are performed in a manner to help ensure applications are properly designed, tested, approved, and aligned to BIScience’s customers’ business objectives. Changes are discussed, evaluated, and approved by relevant managers from Product, Development and Operations. Personnel responsibilities for the design, acquisition, implementation, configuration, modification, and management of systems are assigned. In addition, changes performed to the application are communicated to BIScience’s customers through release notes published on the BIScience customer success website.
Additional Safeguard
Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following:
• encryption both in transit and at rest;
• As of the today we have not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
• No court has found BIScience to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
• BIScience shall not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
• BIScience shall use all available legal mechanisms to challenge any demands for data access through national security process that BIScience receives, as well as any non-disclosure provisions attached thereto.
• BIScience will notify Customer if BIScience can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
Penetration Testing
External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable Third-party vendor. In addition, BIScience conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans is performed using external tools, to detect potential security breaches.
Reporting a Security Issue
BIScience is exerting considerable resources to ensure a secure code and infrastructure for all its products. If you believe that you have found a security vulnerability in any of our products, please report it to us straight away via e-mail to privacy@biscience.com. Please be sure to include a brief description, detailed steps to reproduce and what might be the impact.
Responsible Disclosure Policy
We encourage responsible disclosure, and we promise to investigate all legitimate reports and fix any issues as soon as we can. We ask that during your research you make every effort to maintain the integrity of our any data you come across, avoiding violating the privacy of any person or degrading our offerings. Please provide BIScience reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.