Benchling has acquired PipeBio! Learn more
2024/10/31
More information related to PipeBio’s security measures can be found at https://pipebio.com/security/information-security-policy (“Security Policy”).
| Technical and Organizational Security Measure | Evidence of Technical and Organizational Security Measures |
|---|---|
| Measures of pseudonymisation and encryption of personal data | All data and communication within PipeBio is protected at rest using AES 256-bit encryption, and in transit using Transport Layer Security (TLS) encryption 1.2 or higher. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | PipeBio maintains an information security program, which includes: (a) a formal risk management program; (b) conducting periodic risk assessments of systems and networks that process Customer Data; (c) monitoring for security incidents and maintaining a tiered remediation plan to ensure timely fixes to any discovered vulnerabilities; (d) a written information security policy (available at https://pipebio.com/security/information-security-policy) and incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Customer Data; (e) penetration testing performed by a qualified third party on an annual basis; and (f) having resources responsible for information security efforts. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | PipeBio's backup policy is based on ISO-27001 standards. PipeBio services are replicated to ensure high availability, redundancy, and failure tolerance. PipeBio performs at least daily backups for recovery purposes. Backups are encrypted and tested at least annually. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | PipeBio’s systems are annually subjected to a wide range of different penetration tests and external audits. The company practices “security by design” principles by incorporating threat modeling into the design phase for all key features. Any changes to PipeBio’s code base requires additional testing and review prior to migrating to the production environment. Security tooling is integrated into PipeBio’s code pipeline, which incorporates a number of checks for application security vulnerabilities. |
| Measures for user identification and authorisation | PipeBio systems are managed through an SSO provider which enforces multi-factor authentication. PipeBio observes the principles of “least privilege” and “role based access” meaning access to data and systems are limited to what is necessary in order to fulfill an employee's current job responsibilities. PipeBio utilizes segregation of duties to reduce the risk of unauthorized or unintentional modification or misuse of systems or data. Systems require user authentication and user access (including privileged access) to be reviewed quarterly or when changes to personnel occur. |
| Measures for the protection of data during transmission | All data and communication within PipeBio is protected in transit using Transport Layer Security (TLS) encryption 1.2 or higher. |
| Measures for the protection of data during storage | All data and communication within PipeBio is protected at rest using AES 256-bit encryption. By default, Customer Data is stored and processed within a secure cloud environment hosted on Google. |
| Measures for ensuring physical security of locations at which personal data are processed | PipeBio utilizes Google for cloud processing. In addition, all PipeBio offices and PipeBio-managed work spaces have a physical security program that manages visitors, building entrances, closed circuit televisions, and overall office security. All employees, contractors, and visitors are required to wear an identification badge. |
| Measures for ensuring events logging | Actions performed within PipeBio, such as logins, data writes and configuration changes, are attributable to particular users, and are captured with user information, date and time stamps in the audit logs. Logging data is centralized where it is made available for authorized individuals to monitor and take action in the event of an incident. |
| Measures for ensuring system configuration, including default configuration | PipeBio systems are built leveraging baseline configurations which are hardened in accordance with industry best practices like Center for Information Security (CIS). |
| Measures for internal IT and IT security governance and management | PipeBio’s IT services are automated and compartmentalized to limit the security risk of any single component of the system. PipeBio practices a “Zero Trust” policy. This means multiple security attributes are assigned to each PipeBio team member and user account, and multi-factor authentication is required in order to access any of the company’s IT services. A final layer of security is provided by the NIST Security Risk Management Framework, in which each security risk is assessed according to a set of internal benchmarks, with significant decisions requiring confirmation from PipeBio’s senior executive team. |
| Measures for certification/assurance of processes and products | PipeBio’s dedicated security and privacy programs are externally audited annually. The company maintains an International Organization for Standardization (ISO) 27001 certification. All PipeBio’s operations comply with the General Data Protection Regulation (GDPR). |
| Measures for ensuring data minimisation | PipeBio only collects information that is necessary in order to provide the PipeBio Services. Our employees are directed to access only the minimum amount of information necessary to perform the task at hand. |
| Measures for ensuring data quality | PipeBio maintains logging details that include changes to sensitive configuration settings and files. At minimum, log entries include date, timestamp, action performed, and the user ID or the device ID of the action performed. Logs are protected from change. |
| Measures for ensuring limited data retention | PipeBio will retain information for the period necessary to provide the Services and for a period of time thereafter in backups, unless a longer retention period is required or permitted by law, or where the applicable agreement requires or permits specific retention or deletion periods. |
| Measures for ensuring accountability | PipeBio is establishing a comprehensive GDPR compliance program and is committed to partnering with Customers and vendors on compliance efforts. Specifically, PipeBio has taken the following steps to align its practices with GDPR: (i) all employees are required to complete annual GDPR training and security training, (ii) policies and contracts are in place with partners and vendors to comply with GDPR, (iii) enhanced security practices and procedures are being put in place, (iv) data mapping tools are being implemented, (v) robust internal privacy and security documentation is being put into place, (vi) a Data Protection Officer has been appointed, and (vii) tools and procedures to respond to data subject access requests are being implemented. |
| Measures for allowing data portability and ensuring erasure | PipeBio provides a mechanism for individuals to exercise their privacy rights in accordance with applicable law. Individuals request that PipeBio delete their data or provide a copy of their data here. |
| Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer. | When PipeBio engages a subprocessor, PipeBio and the subprocessor enter into an agreement with data protection obligations substantially similar to those contained herein. Each subprocessor must ensure that PipeBio is able to meet its obligations to Customers. In addition to implementing technical and organizational measures to protect Customer Data, the subprocessors must (a) notify PipeBio in the event of a Security Incident, (b) delete Personal Data when instructed by PipeBio in accordance with Customer’s instructions to PipeBio; (c) not engage additional subprocessors without PipeBio’s authorization; (d) not change the location where Personal Data is processed; and (e) not process Personal Data in a manner which conflicts with Customer’s instructions to PipeBio. |
