BioloMICS logo
×
BioloMICS menu

BioAware Trust Center

 
Online version of the BioAware Trust Center available on BioAware website.
 
 
At BioAware, we understand that, in order for our customers to embrace the benefits of the cloud, they must be prepared to entrust us with one of their most valuable assets, their data. When customers invest in a cloud service, they must be able to trust that their data are safe, that the privacy of data is guaranteed and that the service is fully compliant with laws, regulations and standard practices.
 
The goal of our Trust Centre is to provide our customers with all of the needed information to make a qualified decision about BioAware as service provider. The information covers all products and services specified on these pages, both as part of pure cloud solutions or as part of our cloud-connected on premises solutions. Please see the table of data centers and services for exact listing.
 
Please contact us at info@bio-aware.com, should you need further information. We are happy to assist.
 
Security
BioAware has been offering cloud solutions for more than 15 years. Over the years, we have established processes, methods and technologies and embraced proven standards to meet our customers' security, privacy and accessibility needs. The nature of threats is constantly changing, so security awareness is a natural part of our development process and we constantly strive to be even better.
 
Services designed for security
From planning to deployment of new services or features, we follow our Security Development Lifecycle, meaning that security requirements are embedded and measured during the service's lifetime. Security requirements are based on a combination of legal, sector, client, best practices and compliance with privacy laws and regulations.
 
  • We perform security audits and penetration testing using certified experts.
  • These include manual and automated security testing of source code (SAST) and of compiled code (DAST). We are also performing functional test of all major operation every evening to ensure that our code is not inducing regressions.
  • Our services are tested by Acunetix security scanning services and are resilient against common attacks.
  • The minimum Security Requirements that all development teams follow are:
  • Passwords are never stored as text but are always encrypted (one way encryption) server side. This means that even we at BioAware are unable to read password of customers/user. If one loses its password, a new must be generated with email control in-between.
  • Communication is always via an encrypted connection.
 
Monitoring and protection
When making our services available to our customers, they are carefully monitored. This includes continuous scanning for vulnerabilities, monitoring of intrusion attempts as well as abuse detection using the Acunetix security scanning services.
 
Physical protection
For public cloud solutions, we use the Microsoft Azure for storage of information. They run around the clock and ensure operations by protecting against power outage, physical intrusion and network outage. These datacenters conform to recognized industry standards of physical security and reliability.
 
For information regarding hosting of our different services, see datacenters in our Transparency section.
 
Incident management
When incidents occur, we have a dedicated Security Incident team (including our DPO, CEO, IT manager and two software developers) that provides the necessary co-ordination, management, feedback and communication. They also have responsibility for assessing, responding to and learning from information security incidents to make sure that we minimize the risk of reoccurrence. Incidents are reported on https://www.bio-aware.com/page/status for all products and services of BioAware, Customers can follow the progress of resolving the issues if any. Our Support section also provides information on issues and their status ( https://www.bio-aware.com/BioloMICSSupport.aspx).
 
Protection of information
  • All our staff are covered by confidentiality agreements.
  • BioAware staff are located in Europe and Africa (Tunisia).
  • Our staff only have access to the systems and functions they need to perform their tasks.
  • Our staff are bound by guidelines and rules as well as supervised and monitored when accessing client specific information.
  • Access to stored information is limited to a few people in operations and technical support. Other support staff can only see the information that are actively approved by the customer, for example via a support case.
  • Our systems are redundant which is a method to increase reliability by allowing two or more units (e.g. network or hardware) to work in parallel with the same information, providing a reflection of each other. If one of them breaks down, the other one takes over.
  • Our system are constantly monitored to by a number of software (VM Ware, OpManager, etc) that are warning us in case of hardware or software problems.
  • Microsoft Azure (our datacenter provider) is also adding several layers of security regarding our hardware and also against a number of external attacks that our environment might face.
 
Responsible Disclosure Policy
The information on this page is intended for security researchers interested in reporting security vulnerabilities to the BioAware security team. If you are a customer and have a question about security or a password or account issue, please contact us through the standard support channels available for your product (https://www.bio-aware.com/BioloMICSSupport.aspx).
 
BioAware is committed to the security of our customers and their data and we believe that engaging with the security community is important. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers. If you believe you've discovered a security vulnerability in a BioAware service, product or web property, we strongly encourage you to inform us as quickly as possible and to not disclose the vulnerability publicly until it has been addressed contact us via https://www.bio-aware.com/BioloMICSSupport.aspx or using our email address info@bio-aware.com.
 
BioAware does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to our Responsible Disclosure guidelines.
 
Responsible Disclosure Guidelines
  • Provide an appropriate level of detail on the vulnerability so that we can reproduce the issue.
  • Allow us a reasonable time period to address the issue before publishing any information or details about the vulnerability.
  • Target only your own accounts and devices when investigating and testing a vulnerability. Never attempt to access accounts, devices, or data that you don't own or don't have permission to access.
  • Do not use phishing or social engineering.
 
How to Report a Security Vulnerability
 
  • Send a mail to info@bio-aware.com.
  • You will get an automated response confirming that we have registered the issue.
  • A support ticket is automatically created and assigned to a Security Analyst.
  • The Security Analyst will triage the issue and escalate to the correct team within BioAware.
  • The issue is fixed!
 
We believe in open communications and will keep customers updated throughout this process. We aim to triage all reports within 12 business hours and address all vulnerabilities within 30 days at most.
 
FAQ
Q: How do we ensure that your services are up and running?
 
Our datacenter has a huge level of redundancy (hardware and software). Internet connections guaranteed and redundant as well. The datacenter is connected to the fastest possible Internet routes to ensure steady data streams. In case of an interruption there is an automatic transfer to a functioning connection, without the service being affected.
 
Q: How do we protect your information against cyber-attacks?
 
  • We perform security audits and penetration testing using specific experts and software.
  • Passwords are never stored as text but are always “hashed and salted” or one way encrypted. This means that not even we at BioAware can find out what your password is. If you lose your password, you must generate a new one.
  • All communications are via an encrypted connection.
  • Our services are tested to handle recurrent attacks from, for example, SQLi, XSS and CSRF, session hijacking, and other threats.
  • We continuously monitor our services via a series of monitoring software that send alerts when some problems occur (memory problems, hard drive shortage, CPU usage, security threads, etc).
  • Microsoft Azure, our datacenter provider, is also adding several layers of checks and filters to prevent attacks and threads.
  • Microsoft Azure provides a general-purpose firewall and we also have our own software firewall that is specific to our environment. Both are working together to ensure the highest possible security levels.
  • Antivirus and antimalware software are also protecting our cloud based solutions.
 
Q: How do we physically protect your information?
 
  • Complete backups of all virtual machines are done daily, and copies stored in physically separate locations. Daily virtual machines backups are kept for one week.
  • Backups of customers databases are also done on a daily basis and stored in physically separate locations. Daily database backups are kept for at least 2 months and up to 6 months for some customers.
  • External and regular backups to customers facilities can also be done on demand.
  • Video monitoring and traceability of access to the premises.
     
Q: Which guarantees and conditions apply?
 
The relationship between BioAware and our customers regarding our services is governed by BioAware’s terms of use.
 
Privacy
When using services from BioAware, customers entrust us with their data. People will not use technology they do not trust, and for us, privacy and data protection are important matters in building that trust. We protect the privacy of our customers through organizational, technical and physical measures based on strict policies and standards.
 
Our Privacy page describes how BioAware processes personal data, and further information specific to our software products can be found in the relevant terms of service. Please do not hesitate to get in touch with us at info@bio-aware.com, should you have further questions.
 
General Data Protection Regulation
The General Data Protection Regulation (GDPR), a new EU wide law, is set to come into effect on the 25th May 2018. It is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. For more information about the GDPR, please refer to the EU’s GDPR Portal.
 
The GDPR strengthens the rights of individuals with respect to personal data. This means that BioAware, as a software service provider, must strengthen the security measures that protect the personal data of our customers and individuals registered in our systems. As well as the features that enable our customers and individuals that use our services to exercise their rights.
 
It also means we must design our systems so as to enable our customers to meet their obligations as the data controller for the data they process using our systems and services.
 
BioAware naturally sets out to ensure that all of our software services, to the very best of our efforts, are compliant with the GDPR. Therefore, we have designed a comprehensive framework specifically with the GDPR in mind, comprised of the following main components:
  • Training for our employees
  • Privacy and data protection built into development and production
  • Dedicated data protection manager
  • A revised data processing agreement
 
Employee Training
All personnel in BioAware completed a mandatory course on privacy and data protection in 2018. In addition, specialist and key roles and teams receive additional training and support, tailored to their needs and requirements. This is for example security engineers, security and integration teams, and teams working with systems that handle sensitive data.
 
Privacy built into development and production
Key requirements and principles from the GDPR are built directly into our production and quality management systems, such as:
 
  • Privacy governance framework.
  • Risk assessments, including privacy impact assessments.
  • Detailed data classification.
  • Deletion, correction and return of data.
  • Access and authorization.
  • Encryption, pseudonymization and anonymization.
  • Operational procedures, such as:
  • Data access requests.
  • Incident and breach management, including notification.
  • Third party management, including data processing agreements with our subcontractors.
  • Privacy by design.
 
We also provide a system by which a customer can easily request information about how the services comply with the GDPR.
 
Revised data processing agreement
We are revising the data processing agreements for all our software services in order to align them with the GDPR. All software services that comply with the framework described above will have the same data processing agreement, whose terms are thus based directly on a thorough technical and organizational system of security and privacy compliance.
 
We also provide information here on the Trust Centre about your duties as a “data controller” under the GDPR, to enable and support you when using software services from BioAware.
 
Status and more information
If you require more information in the meantime, please do not hesitate to contact us at info@bio-aware.com.
 
Transparency
The BioAware server infrastructure is built on secure public cloud solutions facilitated by Microsoft Azure. Data processing takes place in Europe and follows local European regulations and requirements regarding protection of data privacy.
 
  • Locked and alarmed with 24/7 surveillance.
  • Video monitoring and traceability of access to the premises.
 
FAQ
Q: Is it legal to store data outside of my country?
 
In general, yes. However, some countries have rules that specify special requirements (especially for accounting and payroll data). We are not responsible for the data that our customers are storing in our systems and are not even monitoring the information they store as they under NDA anyway in many cases. It is therefore the responsibility of the customers to ensure that what they store in our datacenters is legal. If, for some reasons, we are made aware that some data are not legal or infringing the law we will warn our customers and ask them to take the needed actions to solve the issue. If the customer is failing to do so, we would take the needed actions to solve the problem.
 
Q: Where are data stored?
 
Data are stored on the Microsoft Azure servers in the West Europe Datacenter.
 
For further information about datacenters, certifications, or data protection, please contact us at info@bio-aware.com.
 
Vision, mission and values
BioAware strives to develop software according to current development best practices. We keep up to date with industry trends and predictions, as well as planned and possible disruptive changes.
 
BioAware release changes and new versions to customers at varying intervals, ranging from daily updates when needed to longer intervals.
 
We hold the quality of our software as our highest priority, including security and performance of the service. Customer involvement during the development stage is a crucial aspect in order for us to always be in tune with our customers’ needs and be able to deliver the most important features needed by our customers.
 
All of our services are continuously monitored, and if any deviations are detected and have an impact on one or several of our customers it is reported on our status sites (https://www.bio-aware.com/page/status for all products and services of BioAware or on https://www.bio-aware.com/BioloMICSSupport.aspx for some specific issues).
 
Incident management
An incident is defined as "any event which is not part of the standard operation of a service and which causes or may cause an interruption to, or a reduction in, the quality of that service".
 
When we receive notification of an incident in our system, either from our customers who report a deviation, or from our internal resources (personnel or monitoring), our teams immediately act upon this information and try to classify the incident severity. If of high severity, we follow an escalation process in order to reach the correct team and fix the deviation as soon as possible.
 
Compliance to standards and certificates
In order to make sure that we are following the best development practices, we always strive to comply with industry standards to ensure these are followed to the right extent.
 
Compliance
In BioAware, we develop services that help our customers to comply as close as possible with national and international laws, as well as industry specific standards and requirements like ISO standards and EU directives.
 
We are aware that, for our customers, complying with these rules and regulations is critical for remaining in business, staying ahead of the competition and avoiding punitive actions. Therefore, rules for privacy protection, accounting, taxes and payroll management are all tightly embedded in our processes. What’s more, we are doing our best to ensure that our software complies with applicable laws in the markets to a reasonable extent.
 
All our development processes are following the best management guidelines with versioning, traceability and history of changes. For compliance details regarding our hosting facilities, see the datacenters in our Transparency section. For information regarding industry specific compliance, or other details not covered here, please get in touch with us at info@bio-aware.com.
 
 
Document reviewed on: 29th of December, 2023