Security

Security is a major concern to organisations that want to implement a cloud solution. The eLABInventory is a product of Bio-ITech, and the latter has since 2016 been formally certified for ISO/IEC 27001:2013, the globally accepted standard for information security management. Read further to learn about the measures we take to safeguard your data.


Data Center and Network Security


Physical Security
Facilities The eLABInventory servers are hosted at ISEA 3402 or ISO 27001 compliant facilities in at least two geographically separated data centers. The eLABInventory Cloud for North American customers is hosted in the US and for customers in the rest of the world the eLABInventory Cloud is hosted in Europe. eLABInventory Private Cloud installations are hosted in Amazon Web Services (AWS) Cloud data center in a region of preference of the customer.
On-site Security All servers are hosted from ISO 27001, SOCII or ISEA 3201 compliant facilities. Our data center facilities feature a secured perimeter with 24/7 manned security, video surveillance, physical locks, and security alarms.
Monitoring The network availability is continuously monitored by Bio-ITech. In addition, server performance and uptime is monitored in real-time and when set thresholds are exceeded, due to abnormal events, Bio-ITech is notified.
Location Bio-ITech uses data centers in the US for customers from North-America and data centers within Europe for customers in the rest of the world.
Data Removal Bio-ITech handles information with great care and disposes all of its storage devices according to an ISO 27002 data destruction protocol.
Network Security
Dedicated Security Team Bio-ITech has a globally distributed security response team to respond to alerts and security events.
Protection Our system is protected by multiple firewalls, secure data transport using HTTPS encryption, regular security audits and preventive measures to avert malicious network attacks.
Architecture Bio-ITech has multiple security zones with restricted access. Sensitive systems are secured with multi-level protection and only accessible by those who need admission for maintenance.
Network Vulnerability Scanning Bio-ITech assesses the security of application components periodically during Internal Software Security Audits.
Third-Party Penetration Tests Our applications are tested extensively for vulnerabilities in periodic Penetration Tests.
Logical Access Access to the eLABInventory Cloud and Private Cloud network is restricted on a need-to-know basis. Access requires multiple factors of authentication
Encryption
Encryption in Transit All communication to end-users both from and to our data center is encrypted using an SSL (HTTPS) connection. eLABInventory uses an Extended Validation (EV) SSL class III certificate that has been issued by COMODO CA Limited, a registered Certificate Authority (CA). Extended validation certificates are only issued to the most trusted service providers (including governmental institutes and banks) and are indicated by a green trust bar.
Encryption at Rest All backup data is encrypted and stored securely.
Availability & Continuity
Uptime Uptime of all the eLABJournal Cloud and all eLABInventory Private Cloud servers are monitored in real-time. In case of an event, our staff will be alerted and is trained to resolve issues.
Redundancy & Backups The eLABInventory Cloud is hosted in a fully redundant infrastructure to eliminate any single points of failure. All data is replicated in real-time and archived on a third database to ensure immediate recovery. Additionally, every 24 hours a full back-up of all data is stored in our encrypted vault in case of disaster recovery.
Disaster Recovery Bio-ITech has a Disaster Recovery procedure in place in case of a complete system failure.
Escrow Agreement To secure business continuity Bio-ITech provides an Escrow service. The source code of the application will be securely stored at an independent third party and will be released in case Bio-ITech fails to provide the required service.

Application Security


Secure Development
Security Training Bio-ITech organizes annual security trainings for all its staff to keep security awareness up-to-date.
Quality Assurance Dedicated testers review and test developed code for vulnerabilities.
Separate Environments Developing, testing and staging is done in separated environments, ensuring security of our applications.

Product Security Features


Authentication Security
Authentication Options In the eLABInventory Cloud we offer eLAB sign-in. In the eLABInventory Private Cloud, we offer the possibility to use Single Sign On (SSO) with Active Directory (AD/LDAP/AD FS).
Single Sign-on (SSO) eLABJournal and eLABInventory allow the authentication via Single sign-on (SSO). This is possible via AD, ADFS, SAML LDAP and SURFconext depending on the hosting option.
Two-factor Authentication (2FA) With two-step verification, users can be enforced to login with a two-step verification code in addition to their password. The two-step verification code is generated by their mobile device. 2-step verification provides a second layer of security to your account, making it more challenging for someone else to login as you.
Secure Credential Storage Bio-ITech adheres to all best practices for storing user passwords. Passwords are never stored in a human readable format and only stored as a secure, salted, one-way hash.
API Security & Authentication The eLABInventory API is SSL-only and you must be a verified user to make API requests. You must always authorize with your username and password or with an API token to access data via the API.
Additional Security Features
Access Privileges & Roles eLABInventory supports different system roles to allow full system control by an IT system administrator and Organisation Key-Users. In addition to their role as a user, their access level can be promoted to allow full system control over the entire system, or per organisation within the system, depending on the hosting solution.
User Roles & Permissions eLABJournal and eLABInventory support a comprehensive list of permissions that can be activated or disabled per user. Access to data within eLABInventory can be tightly controlled. Permissions can be configured to define granular access privileges and can be set by the group administrator.
IP Restrictions In the Private Cloud, you may choose to enable IP restriction to make the application only accessible on specific IP address ranges. These restrictions are applicable for all users and data stored in the application.

Compliancy


Security Compliance
ISO 27001:2013 Bio-ITech is ISO 27001:2013 certified since 2016.
GDPR Compliant Bio-ITech complies to the EU General Data Protection Regulation requirements. In dedicated system installations, a system privacy policy can be enforced that blocks the end-user from adding personal data to their profile.
21 CFR 11 Compliant eLABJournal and eLABInventory comply to Title 21 CFR Part 11 of the Code of Federal Regulations, regulations on electronic records and signatures established by the United States Food and Drug Administration (FDA).

Additional Security Measures


Security Awareness
Policies Bio-ITech handles strict security policies covering a range of topics. These policies are made available to all personnel and contractors that have access to information of Bio-ITech or its customers.
Training All employees follow an extensive security awareness training after hiring to maximize security alertness. In addition, all software engineers receive an annual Good Coding Practice training in which security is a main topic.
Employee Vetting
Background Checks An extensive screening is performed on all potential hires for their educational and professional background during the hiring process. All new employees undergo a formal governmental screening procedure that includes a criminal background check during their trial period.
Confidentiality Agreements All employee contracts contain a Non-Disclosure and Confidentiality agreement.


Contact our Security Officer

If you have any questions about our security measures or if you are interested in a third party statement about our information security management, please contact our security officer.