Please be aware that our aim is to provide adequate assurance on ChilliBean’s systems and processes whilst not disclosing any detail that might lead to a loss of information security or data integrity should the information fall into the wrong hands.
Some of our disclosures are consequently qualitative, rather than spelling out exactly how we secure our systems. We trust you will appreciate this and please ask if further verbal assurance is required.
Firewalls protect all our internal office networks. Our production and test networks are protected using AWS's in-built protections, ensuring that firewalls are in place between the organisation’s network and any external networks not wholly owned and controlled by the organisation.
All connections to ChilliPharm systems are made over HTTPS, using TLS 1.2 where possible. All communication uses HTTPS for encryption, including media upload, download and playback.
Data Encryption at rest
All data held in the ChilliPharm application is encrypted at rest using AES 256 bit encryption.
ChilliBean systems are only accessed by authorised users who require a username and password. Passwords expire after 90 days and must comply with the Password Policy.
All passwords for ChilliPharm must:
- be between 8 and 72 characters
- contain an uppercase letter
- contain a lowercase letter
- contain a number and/or special character
- be different than previous password
Account Lockout Policy
Users are temporarily locked out of their account after too many unsuccessful logins within a period of time. No indication of an existing account is displayed for security.
ChilliPharm platform includes audit logs which are visible within the system itself, as well as system level logs which record all activity on the system.
Periodic Security Assessments are carried out by a third party. They perform penetration testing and vulnerability scanning.
ChilliBean protects its own and other parties' Intellectual Property through the use of access controls and NDAs where appropriate.
Data Protection and Privacy (GDPR)
ChilliBean identifies as a Data Processor and is committed to compliance with all national and, where appropriate and stated, international laws relating to the protection of personal data and individual privacy.
ChilliBean has a Business Continuity Management Policy that aligns with ISO 22301 and comprehensive tested business continuity plans which outline procedure in the occurrence of possible events.
Information Security Policy
ChilliBean are committed to preserving the confidentiality, integrity and availability of all physical and information assets owned and controlled by the company in accordance with the ISO/IEC 27001 standard.
All workstations used by ChilliBean staff are fully protected with anti-malware software. All production systems have a strictly controlled execution environment to ensure that no unauthorised code can be executed.
ChilliBean maintains a data retention policy and conducts reviews on stored data and will securely delete information that is no longer needed for its original intended purpose(s) or is no longer valid.
Backups of the ChilliPharm application data performed by near realtime copying of all customer data to a geographically separate region.
ChilliBean uses Amazon Web Services for cloud hosting in two separate, EU, geographical regions.
The ChilliPharm infrastructure is built on AWS using Infrastructure as Code methodologies - we use automation tools to build and configure our execution environment and supporting cloud infrastructure, and the deployment of the application.
Information Security Management System
ChilliBean have implemented and maintain an Information Security Management System compliant with ISO 27001:2015, able to guarantee: Compliance with applicable regulations, The client’s expectations and requirements regarding the services provided, and The continuous improvement of our activities.
ISO 27001 certificate #164 via BM Trada, available on request.
ChilliBean are in the process of implementing an Integrated Management System adding Quality Policies aligned with the ISO 9001:2015 alongside the existing Information Security Management System which is compliant with ISO 27001:2015
All Staff are subject to training on ChilliBean ISMS policies, General Information Security, 21 CFR Part 11/ Annex 1. Annual security training includes ISO270001, CFR Part 11, GDPR and Data Integrity.
Development of products and services
A design and development process is established and documented in ChilliBean’s SDLC, which is appropriate and ensures that products and services are designed to meet expectations.
Control of non-conforming outputs
Records of the nature of non-conformities and any subsequent actions taken, including concessions obtained, are maintained and monitored. When a non-conforming product or service is corrected it is subject to re-verification to demonstrate conformity to the requirements.
ChilliBean maintains an internal audit schedule to determine whether the Management System: a. Conforms to the planned arrangements, to the requirements of ISO 27001:2015 and to the Information Security Management System requirements established by ChilliBean, b. Is effectively implemented and maintained.
ChilliBean management reviews ChilliBean’s Management System, at least annually, to ensure its continuing suitability, adequacy and effectiveness.
ChilliBean determines and selects opportunities for improvements and implements necessary actions to meet customer requirements and enhance customer satisfaction.
ChilliBean retains a list of applicable statutory and regulatory requirements relevant to the company’s information systems. This list is reviewed annually or when new legislation/contractual requirements are identified.
Customers can raise helpdesk tickets via firstname.lastname@example.org. Tickets are responded to within a 24 hour period.