Scispot.io provides a cloud native software platform for life science companies to digitize and automate their R&D and non-R&D workflows. This platform is trusted by all our customers and many of our peers in the industry. Our customers use Scispot to securely store their institutional, operational and R&D data.
Trust, security & data privacy are part of the very fabric that is Scispot.io. Scispot is secure by design. Our philosophy is to think of security right from the onset of the development process. Starting from the very top, our CEO, all the way down to the individual contributors, trust, security & data privacy are ingrained into each of us. We treat our customer data just as we would treat our own. We realize the importance of data privacy and protecting IP in the life science space, and this was one of the compelling factors that made us build Scispot’s platform with a zero-trust policy. Our zero-trust policy continuously has us investing more in empowering our employees with the necessary tools and services necessary to prioritize security and data privacy at every step along the way.
Platform Security
Infrastructure Security & Engineering
Scispot.io uses Amazon Web Service (AWS) as its infrastructure hosting partner. AWS is a leader in infrastructure security, and maintains multiple security and compliance certifications including ISO 27001, SOC 1 and SOC 2 (as detailed here).
The use of AWS as our infrastructure hosting solution allows Scispot.io to iterate, react, respond and develop much faster given the ease and scalability that AWS provides. Scispot.io achieves this level of agility by relying on industry standard practices such as maintaining infrastructure as code (IaC), data and system backups.
Using a variety of network segmentation techniques, security groups and traffic monitoring, Scispot.io is able to securely transport data throughout the platform without it being compromised. In addition to these measures, Scispot.io ensures that all its customers have a dedicated data path from the web app to our proprietary backend data stores as well as to Scispot’s Cloud Storage offering, Lab Drive. This additional precautionary measure all but guarantees data protection in transit as well at rest for all of Scispot’s customers. All communication within Scispot’s platform as well as communication to and from the platform is SSL(256-bit) encrypted.
Compliance
All data at Scispot is stored in ISO27001, SOC 1 and SOC 2 compliant data centers. In addition, all customer data is completely isolated and protected from other customer data. Upon request, Scispot’s customers may request a data export of their data on Scispot in ISO, GLP, GMP and Title 21 CFR Part 11 compliant formats.
All data on Scispot.io follows the ALCOA+ principles. Also, all data on Scispot.io adheres to the FAIR Data Principles (Findable, Accessible, Interoperable, and Reusable).
Software Development Lifecycle
Scispot.io adopts Agile/Scrum for its SDLC. This methodology allows our developers to continuously iterate on the platform features and deliver new enhancements quickly. Throughout the entire process of development, developers are mandated to have each pull request (PR) they submit for review to undergo a minimum of 2 reviews, one by a peer and one by a senior member at the org, usually the CTO. Each PR needs to receive a minimum of two approvals before it can be merged back to the deployment branch of the version control system. This extra pair of eyes ensures that no information is stored on our version control system, such as passwords, secrets, access keys, tokens, etc. In addition, any PII or non-compliant customer personal information is never stored on any of our systems in plaintext.
Identity & Access Management
Scispot.io uses AWS Cognito in conjunction with AWS IAM roles and Identity Pools to manage user/customer access to Scispot. Each customer has a dedicated Cognito User Pool that limits customer access only to the resources that belong to them.
The ease of configurability and extensibility of AWS Cognito lends itself really well to isolating customer data between multiple customers. With AWS Cognito, in conjunction with Identity Pools and bare bones AWS IAM, Scispot.io provides fine-grained access to some users within a customer organization. This allows management of a company to have a higher level of access compared to individual contributors, if the company may desire so.
Using AWS Cognito also allows for user tokens to be centrally managed and rotated periodically. This reduces the threat of man-in-the-middle attacks. Our user tokens are refreshed every few hours.
Data Protection & Backups
Scispot.io’s digitization and automation platform is not only designed for accuracy, but also for ease of data capture and data retrieval in accordance with the Electronic Record and Electronic Signature (ERES) requirements outlined in the 21 CFR Part 11 guidance.
All data on Scispot.io is fully encrypted at rest using RSAES_OAEP_SHA_256 encryption using RSA 4096 bit keys. All data in transit is encrypted securely using SSL(256-bit).
By default customer data is stored in North America, however, being GDPR compliant for our EU customers as well as moving customer data storage and processing as close to the customer’s location as possible are use cases Scispot.io deals with on a case by case basis.
Our customer data is stored between AWS S3 and AWS DynamoDB. Data in S3 is designed to provide a durability of up to 99.999999999% per year. Data in DynamoDB is encrypted at rest and backed up frequently. Encrypted backups for longer durations of time are replicated across AWS regions to ensure redundancy.
Operational Security
Threat Detection
Scispot monitors malicious activity using audit trails and AWS Cloudtrail and Cloudwatch logs on all of our customer accounts. Our internal threat models in conjunction with smart alerting on suspicious or malicious activity has enabled us to remain on top of any potential threats to our customers.
Disaster Recovery & Business Continuity Planning
Scispot.io maintains performance SLAs with its customers and provides recovery time objectives (RTOs) and recovery point objectives (RPOs). All features on the Scispot platform are designed with the principle that no customer data is safe from an external attack. Hence, redundancy and disaster recovery along with business continuity planning are critical to Scispot and its commitment to its customers.
Organizational Security
Enterprise Security
Scispot.io aligns its security posture and capabilities with the Cloud Computer Compliance Controls Catalogue (C5), National Cyber Security Center (NCSC) Cloud Security Principles, and National Institute of Standards and Technology (NIST) Cloud Computing Standards.
All Scispot.io operations comply with Global Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) requirements.
Privacy Program & Terms of Use
Scispot.io’s privacy program and terms of use standards are managed by a highly qualified and capable legal team who continuously strive to ensure customer adherence to these policies as well as revise the policies with new and ongoing changes to the landscape.
Conclusion
Scispot.io recognizes the crucial importance of its customers’ intellectual property and the value of our customers institutional, operational and R&D data. As a result, the company has safeguarded this data with world class standards of data security and protection. At Scispot.io, the company has implemented leading-edge security and privacy controls all the way from top management down to the individual contributors at the company and continues to invest in security and data privacy throughout its operations.
For all these reasons, our customers continue to entrust us with their most valued asset — their data — and utilize the company’s products and services to strengthen their security posture. Scispot.io continues to strive to provide this world class “million dollar” experience to all its customers, potential customers and partners alike. Contact us at team@scispot.io for any questions or clarifications.