Security Statement

We've provided an overview of the measures we take to secure your data

Castor is secured according to the most recent standards in order to protect your data in the best possible way. We strive towards storing the collected data as securely as possible. We try to be as transparent as possible because we do not believe in ‘security through obscurity’.

Castor is officially certified in the field of Information Security (ISO 27001 – Standards for Information Security Assurance), the standard that describes how Information Security should be organized in a process-based manner in the context of the general business risks for the organization. You can download our certificate here and can always contact us if you’d like to learn more.

Security of the application

  • Users have individual accounts and strong passwords are required.
  • Institute administrators can enforce additional security policies, such as mandatory two-factor authentication or regular password rotation.
  • Access to data is determined by the study administrator and can be granted per person per institute, preventing unauthorized access to data by other researchers or institutes.
  • Continuous Penetration Tests (both whitebox and blackbox) ensure our application and infrastructure security is always state-of-the-art.
  • Sensitive data can be encrypted at rest, using libsodium with encryption keys managed offsite by a trusted third-party key management system.
  • Application code uses modern techniques to minimize the risk of SQL injection, cross site scripting (XSS) and other common attacks.


Security of the servers

  • Castor EDC runs on fully managed virtual private servers, with a local provider in the following regions:
  • All hosting platforms are certified for or compliant with relevant certifications (ISO27001, ISO9001) and/or national or international standards (HIPAA, NEN7510).
  • Our Linux servers apply new security patches automatically and are always up to date. Zero-day exploits are patched as quickly as possible to prevent vulnerabilities.
  • Unauthorized access to the data centers is not possible. Locations are protected by digital surveillance equipment
  • Backups are made four times a day and stored at another geographical location to ensure maximum security and continuity.


Security of the network

  • Intrusion detection systems and other systems continuously check for errors and prevent hackers from accessing the system.
  • The application runs on protected servers with only strictly necessary services and ports open to the outside world.
  • Web traffic is only permitted over TLS 1.2.
  • A hardware firewall ensures that no unwanted connections can be made to any of our servers.
  • In order to prevent external attacks, the database servers are not accessible from the Internet.



In the event of a data breach

We do everything in our power to protect your data. Nonetheless, absolute security does not exist on the Internet, as even governments can be hacked. We cannot guarantee that we will never become the victim of malicious hackers. However, we do everything possible to prevent this. Should we unfortunately still find ourselves the victim of an attack, we will do everything to inform you as soon as possible and minimize damage.


If anything unexpected should happen to our company we want to minimize the impact this has for our clients. Therefore we provide coverage on the short and long term:

  • Short term coverage through a continuity solution: we have deposited funds in a legal entity separate to ensure hosting continues for at least 3 months. All studies in Castor EDC automatically profit from this arrangement.
  • Long term coverage through a Source Code Escrow: clients have the option to become a beneficiary of the application source code in case of bankruptcy or product discontinuation. The code can be deployed in an own environment, or our hosting provider can continue the services. Please contact us if this option is of interest.

User responsibilities

You can contribute to the security of your data. We advise everyone not to store patient-identifiable information within Castor, unless you are using our Encryption module. That means no surnames, Social Security numbers or post codes, and preferably even no date of birth. If these data are necessary for your study, you can keep them on your institution’s premises in a linking table, using the Castor Record ID as the linking identifier. This will ensure that patient information within Castor EDC can never be traced back to a patient.

We also recommend that you keep your passwords safe and never write them down. Secure your computers with antivirus and anti-malware software. Always check that you are on the Castor Website and not on a fake site (phishing). Castor personnel will never ask for your password.


If you have any questions about the security of Castor, please contact us.