How secure is ROSALIND?

A note on our security posture

ROSALIND is much more than a pretty data visualization website. As a secure, scalable, cloud-based platform ROSALIND is an end-to-end solution that couples Information Technology best practices together with the latest science and web-application development to provide a powerful and visually engaging experience for scientific discovery and collaboration. We employ the latest industry standards to ensure every data transmission and all data storage is securely encrypted. ROSALIND operates in a secure and private environment on the Google Cloud Platform and does not utilize traditional public cloud services. All platform services are developed and maintained by our expert scientists and developers based in our San Diego, California headquarters. ROSALIND Clinical and Research Platform have been verified for HIPAA compliance.

 

What cloud security measures and certifications have been implemented for ROSALIND?

As a secure, scalable, cloud-based platform ROSALIND is an end-to-end solution that couples Information Technology best practices together with the latest science and web-application development to provide a powerful and visually engaging experience for scientific discovery and collaboration. ROSALIND operates in a secure and private environment on the Google Cloud Platform and does not utilize traditional public cloud services. All platform services are developed and maintained by our expert scientists and developers based in our San Diego, California headquarters. ROSALIND Clinical and Research Platform have been verified for HIPAA compliance. 

 

ROSALIND uses SSL and certificates to secure all communications between each user session and our servers. Our web-application configuration utilizes industry-standard ports 443 for SSL, 80 for all HTTP traffic and 8080 for secure API communication. We maintain formal development and bug management processes, including web-application, server-side services and systems, as well as Google Cloud Platform infrastructure. Distinct environments for development and testing are used to validate and verify change management including development, testing, and live configurations. 

 

Google Cloud Platform is certified for NIST 800-53, NIST 800-171, COBIT-5. Google Cloud Platform conducts rigorous internal continuous surface testing through various types of penetration exercises. In addition, Google Cloud Platform coordinates external 3rd party penetration testing using qualified and certified penetration testers.  Google Cloud Platform undergoes several independent third-party audits to test for data safety, privacy, and security, as noted below: SOC 1 / 2 / 3 (Formerly SSAE16 or SAS 70) ISO 27001 ISO 27017 / 27018 PCI-DSS HIPAA. Google Cloud Platform Security Policy prohibits sharing this information, but customers may conduct their own testing on our products and services. Google Cloud Platform publishes and makes available its ISO 27001, 27017, 27018 and SOC3 reports online.

 

Google Cloud Platform maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made through e-mail and requires the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations (iii) and reference an approved data center access record identifying the individual as approved.

 

For more information on ROSALIND Enterprise Grade Security, including Single-Sign-On (SSO) and custom security policies, or to request assistance with an Enterprise IT Security Assessment, please contact support@rosalind.bio.

 

For an overview of the above, you may review our Data and Security Policy and our Organizational & Hosting Platform Security Measures