Integrity and honesty are the key attributes of everything we do at Castor. We are committed to protecting our customers’ data above all else.
Castor is secured according to the most recent standards in order to protect your data in the best possible way. Castor is certified for ISO 27001 (Standards for Information Security Assurance), the standard that describes how Information Security should be organized in a process-based manner in the context of the general business risks for the organization. You can download our certificate here and can always contact us if you’d like to learn more.
Security of the application
- Users have individual accounts and strong passwords are required.
- Institute administrators can enforce additional security policies, such as mandatory two-factor authentication or regular password rotation.
- Access to data is determined by the study administrator and can be granted per person per institute, preventing unauthorized access to data by other researchers or institutes.
- Study access can be limited on IP-range and require two-factor authenticated login as well.
- Continuous Penetration Tests ensure our application and infrastructure security is always up to date.
- Data is encrypted at rest. An additional application-level encryption layer can be enabled for sensitive data, using libsodium with encryption keys managed offsite by a trusted third-party key management system. Within the application fine-grained encryption and decryption authorizations can be granted per study and institute.
- Application code uses modern techniques to minimize the risk of SQL injection, cross site scripting (XSS) and other common attacks.
- Immutable audit logs provide a fine-grained overview of data access and modifications.
Security of the servers
- Castor applications runs on fully managed virtual private servers, with a local provider in the following regions:
- All hosting platforms are certified for or compliant with relevant certifications (ISO27001, ISO9001) and/or national or international standards (HIPAA, NEN7510).
- Our servers are patched with security updates on a daily or weekly basis depending on the environment. Critical updates are applied as soon as possible to prevent potential vulnerabilities.
- Access to data centers is restricted to authorized personnel only. Locations are protected by digital surveillance equipment.
- All study data is encrypted at rest via full disk encryption of the relevant disks. Additional encryption can be configured on a per-field level by the end users.
- Backups are made twice daily and stored at a different geographical location to ensure maximum security and continuity.
Security of the network
- The application runs on protected servers with only necessary services and ports open to the outside world.
- Web traffic is only permitted using modern, industry standard encryption (>TLS 1.2 and newer), and all applications of cryptography are regularly reviewed.
- A dedicated firewall ensures that no unwanted connections can be made to any of our servers.
- In order to prevent external attacks, the database servers are not directly accessible from the public Internet.
Organizational and Personnel security
- Access to the office is restricted via personal, digital key tags. Visitors have to be accompanied at all times.
- All laptops, phones and other devices used by employees and contractors are fully encrypted.
- All employees and contractors attend a security training at least twice a year.
In the event of a data breach
We do everything in our power to protect your data. However, we cannot guarantee that we will be 100% secure from the actions of malicious hackers. If a security breach should occur, we will do everything to mitigate it and inform you as soon as possible to minimize damage.
Our Secure Development Policy describes the entire software development lifecycle and all the measures we take to ensure the best possible security. This includes our release cycles, feature and bugfix procedures, code review requirements and QA processes.
If anything unexpected should happen to our company we want to minimize the impact this has for our clients. Therefore we provide coverage on the short and long term:
- Short term coverage through a continuity solution: we have deposited funds in a separate legal entity to ensure hosting continues for at least 3 months. All studies in Castor EDC automatically profit from this arrangement.
- Long term coverage through a Source Code Escrow: clients have the option to become a beneficiary of the application source code in case of bankruptcy or product discontinuation. The code can be deployed in an own environment, or our hosting provider can continue the services. Please contact us if this option is of interest.
You can contribute to the security of your data. We advise everyone not to store patient-identifiable information (surnames, social security numbers, postal codes, date of birth, etc.) within Castor, except when using our Encryption Module.
We also recommend that you keep your passwords safe and never write them down. Secure your computers with antivirus and anti-malware software. Always check if you are on the Castor Website and not on a fake site (phishing). Castor personnel will never ask for your password. We strongly recommend you enable two-factor authentication to ensure your Castor account is protected even if your password or email account gets compromised.
If you have any questions about the security of Castor, please contact us.