Security and data protection

We take security of data very seriously at Sealed Envelope. All our systems are built with security and privacy considerations in mind.

Confidentiality

We place strict controls over our employees’ access to the data you and your users store via our randomisation and database services ("Customer Data"), and are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. The operation of the our services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem or answer a query you have about our services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so.

All of our employees are bound to our policies regarding Customer Data and we treat these issues as matters of the highest importance within our company. Sealed Envelope are contractually obliged not to alter the data or database without the express written consent of the Customer.

Personnel Practices

Sealed Envelope check references on all employees before employment, and employees receive Good Clinical Practice and Data Protection training at induction as well as on an ongoing basis. All employees are required to read and sign our information management and security policy, as well as our procedures for passwords, logical security of data, control of records and office security. All our procedures are subject to a regular internal audit programme.

Compliance

The environment that hosts Sealed Envelope services maintains multiple certifications for its data centres, including ISO 27001 compliance, PCI Certification, and SOC reports.

The production environment is located in the UK at Rackspace and backed up daily on-site. Please visit the Rackspace website for information on their certifications.

Production data is replicated continuously to a remote server (Amazon Web Services Ireland) for off-site storage and disaster recovery purposes. Please visit the AWS Security website and the AWS Compliance website for more information on Amazon's certifications.

NHS England

Sealed Envelope is registered as a data controller with the Information Commissioner's Office (ICO) and has been inspected by the MHRA the UK clinical trials regulator. We have successfully passed assessment against the National Data Guardian’s 10 data security standards using the NHS England Data Security and Protection Toolkit. You can view our published DSP Toolkit status of Standards Met on the NHS website.

iso 27001

ISO/IEC 27001 is an international standard for Information Security Management that provides a framework for organisations to manage and maintain the confidentiality, integrity, and availability of their information assets. It is a widely recognised and adopted standard for implementing an Information Security Management System (ISMS). Sealed Envelope have been independently audited and certified as meeting the ISO/IEC 27001 standard. View ISO/IEC 27001 certificate.

cyber essentials

Cyber Essentials is a UK Government led and industry-backed scheme that helps organisations of all sizes protect themselves against common cyber-security threats. The UK Government now requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme. Sealed Envelope have been certified as meeting the Cyber Essentials requirements by a CREST accredited security company. View Cyber Essentials certificate.

Security Features of the Software

In addition to using secure infrastructure, we provide our customers using Red Pill and comprehensive randomisation systems with additional tools to enable their own users to protect their Customer Data.

Role-based Permissions

Logical security is built into all our applications through role based permissions. Users are limited to accessing data only at their own trial site. Functionality is restricted appropriately according to a users role. See roles and privileges for more information.

Audit Trails

Detailed audit trails are available to administrators showing all changes to their data. Data is shown before and after the change in a timestamped entry attributed to a named user account and IP address. When viewing forms changes are highlighted and older versions can be stepped back through using the history bar.

Administrators can also see a comprehensive audit log of additions and changes to user accounts for their trials.

All users can view details of their five most recent log ins. The date and time of each log in together with browser information and IP address are tabulated. The geographical location of each IP address is shown if available.

Log in Controls

Users must pick strong passwords and we protect accounts with log in throttling to prevent automated password guessing. We used NIST and the UK Government guidance when designing our log in system. Customers can turn off enforced regular password resets as advised by these bodies.

Deletion of Customer Data

Administrators have controls to delete individual forms and participant records from their data.

At the end of the trial and once the Customer has confirmed all data has been downloaded, we decommission the system concerned and delete all Customer Data. After 30 days Customer Data will also no longer be present in our backups.

Data Encryption In Transit and At Rest

Our website supports the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. Customers can choose to encrypt certain data fields (such as those storing personally identifiable information) in the database. These fields are encrypted with AES-256 and can only be viewed through the web interface. They remain encrypted in downloads which reduces the risk that downloaded files can compromise privacy.

Backups we make of Customer Data are encrypted and replication of production data is via encrypted tunnels.

Availability

We understand that trials rely on Sealed Envelope services for critical processes such as randomisation. We're committed to making Sealed Envelope a highly-available 24/7 service that you can count on. We test business continuity measures regularly and use external monitoring services to alert us of unexpected incidents. You can see our current and past uptime here

Disaster Recovery

Customer Data is stored redundantly at both Rackspace UK and AWS Ireland to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up nightly. We are alerted in case of a failure with this system. Backups are fully tested at least every six months to confirm that our processes and tools work as expected.

Network Protection

Access to the underlying server and database infrastructure is strictly limited to Sealed Envelope operations staff using SSH with public/private key pairs. Root accounts are disabled and firewalls are configured to block unnecessary ports.

Host Management

We perform regular automated vulnerability scans of our website and remediate any findings that present a risk to our environment. Regular penetration testing of our platform is carried out by a CREST accredited security company. We enforce screens lockouts, firewall settings, and the usage of full disk encryption for company laptops. A company controlled IPSEC VPN is used for offsite access.

Logging

Server logs are analysed daily for security events via automated monitoring software. Alerts for repeated failed log in attempts are investigated for suspicious activity.

Incident Management & Response

In the event of a security breach, Sealed Envelope will promptly notify you of any unauthorised access to your Customer Data. We have incident management procedures in place to handle such an event.

Product Security Practices

Security aspects are considered when new features, functionality, and design changes are planned. In addition, our code is tested and manually peer-reviewed prior to being deployed to production. Software developers receive regular training on security concerns that may arise during development.

Last updated Jun 2024

knight's armour