Security Statement

We've provided an overview of the measures we take to secure your data

Good Clinical Practice

Castor is secured according to the most recent standards in order to protect your data in the best possible way. We strive towards storing the collected data as securely as possible. We try to be as transparent as possible because we do not believe in ‘security through obscurity’.


Security of the system (Castor)

  • Each user has their own individual account; sharing of passwords is not permitted and we enforce strong password choices when creating or changing passwords.
  • Customers log in through SSL/TLS1.2.
  • The authorisation to access data is determined per person per institute and is always maintained by the study administrator, thereby excluding the possibility of unauthorised access to data by other researchers or institutes.
  • The application code has been written in such a way that the risk of SQL injection and related attacks is kept at as low as possible.
  • Continuous Penetration Tests ensure that our application and infrastructure security is always state-of-the-art


Security of the servers

  • Our servers are hosted globally at three ISPs: True in Netherlands (, Pulsant in the United Kingdom ( and Healthcare Blocks / AWS in the USA ( All hosting platforms are certified for or compliant with relevant certifications (ISO27001, ISO9001) and/or national or international standards like HIPAA.
    * Unauthorized access to the data centers is not possible.
    * The data centers are protected by digital surveillance equipment
    * All backups are stored at another geographical location to ensure maximum security and continuity, in line with the EU Data Protection Directive.


Castor Availability 

  • Castor EDC runs on fully managed virtual private servers. All servers are continually and pro-actively monitored, and in the event of any emerging problems or loss of availability action is immediately taken according to our standard operating procedures.
  • Backups are made four times a day and are moved to another geographical location on a daily basis.


Network Security

  • Intrusion detection systems and other systems continuously check for errors and prevent hackers from accessing the system.
  • The application runs on a protected server with only strictly necessary services and ports open to the outside world.
  • A hardware firewall ensures that no unwanted connections can be made to any of our servers.
  • In order to prevent external attacks, the database server is not accessible from the Internet.



  • The application uses a stack including PHP 7.0 and MySQL 5.5. Everything is hosted on recently updated  Ubuntu Linux servers.
  • Our servers are always up to date, and zero-day exploits are patched as quickly as possible to prevent vulnerabilities.



By handling any incidents

We do everything in our power to protect your data. Nonetheless, absolute security does not exist on the Internet, as even governments can be hacked. We cannot guarantee that we will never become the victim of malicious hackers. However, we do everything possible to prevent this. Should we unfortunately still find ourselves the victim of an attack, we will do everything to inform you as soon as possible and minimize damage.

User responsibilities

You can contribute to the security of your data. We advise everyone not to store patient-identifiable information within Castor. That means no surnames, Social Security numbers or post codes, and preferably even no date of birth. The safest solution is to use the Castor record ID and to connect your computer to the patient data within your own network. This will ensure that patient information can never be traced back to a patient.

Continuity Solution & Source Code Escrow

If anything unexpected should happen to our company we want to minimize the impact this has for our clients. Therefore we provide coverage on the short and long term:

  • Short term coverage through a continuity solution: we have deposited funds in a legal entity separate to ensure hosting continues for at least 3 months. All studies in Castor EDC automatically profit from this arrangement.
  • Long term coverage through a Source Code Escrow: clients have the option to become a beneficiary of the application source code in case of bankruptcy or product discontinuation. The code can be deployed in an own environment, or our hosting provider can continue the services. Please contact us if this option is of interest.

We also recommend that you keep your passwords safe and never write them down. Secure your computers with antivirus and anti-malware software. Always check that you are on the Castor Website and not on a fake site (phishing). We will never ask for your password.


Questions? If you have any questions about the security of Castor, you can send us an email at