Data Safety and Security
1. When collecting data for the creation of Machine Learning models, does Trial Interactive ‘share’ data between customers in any way?
Answer:
No. Trial Interactive uses Machine Learning to create learning models for the metadata mapping of up to 42 essential documents. In addition, Trial Interactive creates a fingerprint of document data to identify similar documents and identical document types. This data is stored unique to each customer domain and is not shared between customer domains. Document metadata mappings are stored directly with each TMF or room/repository configuration and may be re-used between studies, but only with approval by the customer at time of room creation.
2. What services does TI offer in regards to ISO 2700 and security management?
Answer: TransPerfect is ISO27001 Certified.
3. What can be done in the case that we need to restore data due to customer actions (e.g. document deletion, corruption..)? Can a document or a folder be restored from a backup?
Answer: We keep multiple backups and we can restore everything from those backups whether it be a single file or an entire folder.
4. Does your software solution support attribute based role management in SAML authentication? For example if Sender´s SAML message has ”role” attribute value with “Admin” the user gets automatically Admin –rights?
Answer: We support the initial creation of users and the assignment of their initial role through SAML.
5. How does Trial Interactive seek to reduce the risk associated with ransomware?
Answer: Ransomware is largely executed by the attacker getting some executable code to work on your system. We seek to prevent that in several ways:
- At a corporate level, we have an awareness and training program. Because end users are targets, employees and individuals are aware of the threat of ransomware and how it is delivered.
- We have strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- We anti-virus scan all uploaded documents incoming and outgoing emails, and documents posted to sFTP to detect threats and prevent executable files from reaching end users.
- All firewalls are configured to block access to known malicious IP addresses, and we use IP whitelisting and secure, rotating, password-protected keys for all direct network access.
- We consistently patch operating systems, software, and firmware on all infrastructure to ensure we are on the latest patches and exploit fixes.
- We manage the use of privileged accounts based on the principle of least privilege and we white box penetration test our software as part of our regular scan.
- We configure all access controls—including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, the user does not have write access to those files, directories, or shares.
- We use a document viewer (TI Viewer) that renders all macros inert office files.
- We implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations.
- We use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
- We execute operating system environments or specific programs in a virtualized environment. We also use jump boxes to prevent any direct access to our Cloud Hosting Environment.
- We back up data regularly, and verify the integrity of those backups, with all failures sending an email alert, and test the restoration process to ensure it is working.
- We conduct an annual white box and black box penetration test and vulnerability assessment.
- We secure all backups, and encrypt them in a safe recovery location.
6. The segregation of data between different clients – how does TransPerfect ensure that client’s data is segregated from the data of other clients?
Answer: An enterprise / dedicated instance is completed separated from every other service except for two services: the email service has to go through a central domain and the sftp file share service because it is also domain based. TransPerfect keeps the encryption keys for all content and the data base. So even if a customer is on multi-tenant, the customer’s data slice is encrypted from the other domains and therefore completely separated.