Security Overview

Effective Date: June 28, 2019

Remarque Systems Security

Goals

Remarque Systems’ security goals are to guarantee the confidentiality, integrity, availability, and privacy of the information entrusted to the company.

Compliance

Remarque Systems works to be compliant with the following regulations:

  • United States Food and Drug Administration 21 CFR Part 11
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • European Union (EU) 2016/679 (General Data Protection Regulation or GDPR).

Remarque Systems has documented policies and procedures to support its security practices.

People

Remarque Systems’ security culture includes:

  • Management support for security
  • Employee and contractor screening
  • Security awareness and training.

Third-Party Vendors

Remarque Systems evaluates the security practices of the third-party vendors with which it does business to ensure its security goals and compliance are maintained.

Remarque Systems Platform Architecture

The Remarque Systems Platform (RSP) is hosted on Microsoft Azure for scalable compute capacity and data storage in the cloud. Microsoft Azure’s platform is used by thousands of companies globally, provides secure services, and has multiple certifications and audits. Details are available at https://docs.microsoft.com/en-us/azure/security/.

Remarque Systems uses Auth0 for integrating and federating customer’s single sign-on solutions and for managing credentials of users not served by a single sign-on solution. An overview of Auth0 security practices and compliance is available at https://auth0.com/security/.

About Microsoft Azure

Security Compliance

Microsoft maintains its own compliance and assertions with ISO/IEC 27001:2013, SOC 2 Type 2, and other industry security frameworks. See https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings?product=Azure for details.

Geographic Location of Customer Data

The RSP and its data are hosted in Microsoft Azure data centers located in the United States.

Isolation of Customer Data/Segregation of Customers

Microsoft Azure is a multi-tenant service, which means that multiple customer deployments and virtual machines are stored on the same physical hardware. Azure uses logical isolation to segregate each customer’s data from the data of others. Segregation provides the scale and economic benefits of multi-tenant services while rigorously preventing customers from accessing one another’s data.

Secure Network Architecture

Microsoft Azure requires virtual machines to be connected to an Azure Virtual Network. A virtual network is a logical construct built on top of the physical Azure network fabric. Each virtual network is isolated from all other virtual networks. This helps ensure that network traffic in the Remarque Systems deployment is not accessible to other Azure customers.

Network Monitoring and Protection

Azure provides continuous protection against distributed denial of service (DDoS) attacks.

Disaster Recovery

Microsoft Azure keeps data durable in two locations. In each location, Azure constantly maintains three healthy replicas of the data.

Physical Facility Security

Microsoft’s layers of physical security include:

  • Access request and approval prior to data center arrival requiring a valid business justification for the visit where requests must be approved on a “need-to-access” basis
  • Protected perimeter and well-defined access point to the data center
  • Continuous video monitoring
  • Two-factor authentication including biometrics, time-boxed limited access to data center areas, and security scans upon entering and exiting data center.

Controlled Environment

Microsoft Azure data centers have fire suppression, humidity control, and temperature control.

Backup Power

Microsoft Azure data centers use uninterruptible power supplies and battery banks for short-term power disruptions. Emergency generators provide backup power for extended outages and planned maintenance. If a natural disaster occurs, the data center has onsite fuel reserves.

Remarque Systems Security Practices

Information Classification

Remarque Systems classifies the information to which it has access based on its sensitivity.

Remarque Systems Platform Authentication

The RSP is a closed system. A user must successfully provide a user identifier and password to access the application.

Depending on the organization’s decision, RSP users may use their organization’s single sign-on credentials or Remarque Systems can manage the account credentials.

An organization’s single-sign-on product is responsible for protecting account credentials and monitoring account usage for unusual activity to mitigate threats to account security.

Remarque Systems uses Auth0 for account credentials. Auth0 uses bcrypt to secure passwords. Auth0 monitors account usage for unusual activity to mitigate threats to account security.

Remarque Systems stores the bare minimum data necessary to identify a user in the RSP.

Access Control

Remarque Systems follows the principle of least privilege, providing access to the RSP and the components necessary to support it on a “need-to-access” basis. Privileged access is reviewed on a regular basis to ensure employees only have the permissions necessary to perform their work.

Service Monitoring

Remarque Systems uses software to continuously monitor the performance and availability of the RSP.

Customer Data Confidentiality

Remarque Systems treats customer data as confidential. Remarque Systems does not use or share the information collected on behalf of a customer except as specified in the contract with the customer and in compliance with the Remarque Systems Privacy Policy at https://remarquesystems.com/privacy-policy/.

Remarque Systems maintains segmented development, test, and production environments for the Remarque Systems Platform, using technical controls to limit access to live production systems. Employees have specific authorizations to access development, test, and production systems.

Data Storage and Replication

The RSP and its data are hosted in the Microsoft Azure East US region. The database is continuously replicated (with a 5 to 10 second delay) to the Microsoft Azure West US region.

Data Encryption In-Transit and At-Rest

Information processed by the RSP is encrypted in-transit (over the network) using Transport Layer Security (TLS) 1.2 and at rest (while stored on the virtual machines) using symmetric encryption.

Data and Media Disposal

Upon a customer’s request or following the termination of a contract, Remarque Systems will destroy the customer data in Remarque Systems’ custody or control.

Patch Management

Remarque Systems uses automated patching management for its virtual machines in Microsoft Azure to ensure the infrastructure is running the most recent software updates.

Penetration Testing

Remarque Systems contracts with external vendors to perform penetration testing to uncover potential security vulnerabilities and improve the security of Remarque Systems products. Vendors perform these tests using industry best practices. Remarque Systems uses any findings to evaluate severity and priority and then creates a plan to address.

Incident Response

Remarque Systems uses software to keep its infrastructure patched to reduce security vulnerabilities.

When an incident does occur, Remarque Systems has a documented incident response process.

Business Continuity and Disaster Recovery Planning

Remarque Systems has documented business continuity and disaster recovery plans. These plans are regularly reviewed and tested.