ChilliPharm | Medical images securely stored

System Security

Please be aware that our aim is to provide adequate assurance on ChilliBean’s systems and processes whilst not disclosing any detail that might lead to a loss of information security or data integrity should the information fall into the wrong hands.

Some of our disclosures are consequently qualitative, rather than spelling out exactly how we secure our systems. We trust you will appreciate this and please ask if further verbal assurance is required.

Firewalls

Firewalls protect all our internal office networks. Our production and test networks are protected using AWS's in-built protections, ensuring that firewalls are in place between the organisation’s network and any external networks not wholly owned and controlled by the organisation.

Data Transmission

All connections to ChilliPharm systems are made over HTTPS, using TLS 1.2 where possible. All communication uses HTTPS for encryption, including media upload, download and playback.

Data Encryption at rest

All data held in the ChilliPharm application is encrypted at rest using AES 256 bit encryption.

Cookies

ChilliBean uses cookies. Text-based values are encrypted and transmitted over secure connections only.

Authentication

ChilliBean systems are only accessed by authorised users who require a username and password. Passwords expire after 90 days and must comply with the Password Policy.

Password Policy

All passwords for ChilliPharm must:

  • be between 8 and 72 characters
  • contain an uppercase letter
  • contain a lowercase letter
  • contain a number and/or special character
  • be different than previous password

Account Lockout Policy

Users are temporarily locked out of their account after too many unsuccessful logins within a period of time. No indication of an existing account is displayed for security.

Audit Trail

ChilliPharm platform includes audit logs which are visible within the system itself, as well as system level logs which record all activity on the system.

Penetration Testing

Periodic Security Assessments are carried out by a third party. They perform penetration testing and vulnerability scanning.

Intellectual Property (Privacy Policy)

ChilliBean protects its own and other parties' Intellectual Property through the use of access controls and NDAs where appropriate.

Data Protection and Privacy (GDPR)

ChilliBean identifies as a Data Processor and is committed to compliance with all national and, where appropriate and stated, international laws relating to the protection of personal data and individual privacy.

Disaster Recovery

ChilliBean has a Business Continuity Management Policy that aligns with ISO 22301 and comprehensive tested business continuity plans which outline procedure in the occurrence of possible events.

Information Security Policy

ChilliBean are committed to preserving the confidentiality, integrity and availability of all physical and information assets owned and controlled by the company in accordance with the ISO/IEC 27001 standard.

Malware

All workstations used by ChilliBean staff are fully protected with anti-malware software. All production systems have a strictly controlled execution environment to ensure that no unauthorised code can be executed.

Retention Period

ChilliBean maintains a data retention policy and conducts reviews on stored data and will securely delete information that is no longer needed for its original intended purpose(s) or is no longer valid.

Information Backup

Backups of the ChilliPharm application data performed by near realtime copying of all customer data to a geographically separate region.

Hosting

ChilliBean uses Amazon Web Services for cloud hosting in two separate, EU, geographical regions.

Server Management

The ChilliPharm infrastructure is built on AWS using Infrastructure as Code methodologies - we use automation tools to build and configure our execution environment and supporting cloud infrastructure, and the deployment of the application.

Information Security Management System

ChilliBean have implemented and maintain an Information Security Management System compliant with ISO 27001:2015, able to guarantee: Compliance with applicable regulations, The client’s expectations and requirements regarding the services provided, and The continuous improvement of our activities.

Certification

ISO 27001 certificate #164 via BM Trada, available on request.

Quality System

ChilliBean are in the process of implementing an Integrated Management System adding Quality Policies aligned with the ISO 9001:2015 alongside the existing Information Security Management System which is compliant with ISO 27001:2015

People

All Staff are subject to training on ChilliBean ISMS policies, General Information Security, 21 CFR Part 11/ Annex 1. Annual security training includes ISO270001, CFR Part 11, GDPR and Data Integrity.

Development of products and services

A design and development process is established and documented in ChilliBean’s SDLC, which is appropriate and ensures that products and services are designed to meet expectations.

Control of non-conforming outputs

Records of the nature of non-conformities and any subsequent actions taken, including concessions obtained, are maintained and monitored. When a non-conforming product or service is corrected it is subject to re-verification to demonstrate conformity to the requirements.

Internal Audits

ChilliBean maintains an internal audit schedule to determine whether the Management System: a. Conforms to the planned arrangements, to the requirements of ISO 27001:2015 and to the Information Security Management System requirements established by ChilliBean, b. Is effectively implemented and maintained.

Management review

ChilliBean management reviews ChilliBean’s Management System, at least annually, to ensure its continuing suitability, adequacy and effectiveness.

Improvement

ChilliBean determines and selects opportunities for improvements and implements necessary actions to meet customer requirements and enhance customer satisfaction.

Regulations

ChilliBean retains a list of applicable statutory and regulatory requirements relevant to the company’s information systems. This list is reviewed annually or when new legislation/contractual requirements are identified.

Customer Support

Customers can raise helpdesk tickets via support@chillipharm.com. Tickets are responded to within a 24 hour period.