Security FAQ
Question: Please describe the security architecture of Trial Interactive.
Answer: Trial Interactive has multiple layers of boundary protection on all externally hosted solutions. Trial Interactive has a shared application instance; however, each customer's documents are stored separately, which is logically and physically separated from the Trial Interactive database instance. There is a logical segmentation between client records, and all data is encrypted in-place and in-transit. Trial Interactive has gone through a rigorous 3rd party security break-in analysis and white box and black box testing to ensure both internal customer segments are secure as well as to ensure safety from the open Internet.
Trial Interactive uses double encryption (at-rest and in-transit) to provide optimal security. TransPerfect policies detail encryption and data protection, detection and controls, as well as systems and security. In terms of transport encryption (i.e. – data or password transmission from the client), the application uses TLS between the client browser, the application, and internal application servers. All data volumes and file content are encrypted. The application uses Hash: SHA-512 to protect shared secrets in storage. Cryptography is used in the application for data and password transmission, and data storage. SSL-2048 is used for HTTP communications and AES 256 is used for encrypted data at rest. AES 25 is used for server-side encryption for RDBMS. Lastly, RSA_WITH_AES_256_CBC_SHA256 cipher suite is enabled for encryption and authentication. All communication with Trial Interactive servers goes over HTTPS/SSL. The enabled protocols are TLSv1, TLSv1.1, TLSv1.2, and the enabled ciphers are the ones recommended by the latest high-security settings. This can be independently verified here: https://www.ssllabs.com/ssltest/analyze.html?d=login.trialinteractive.com.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: With many customers using Trial Interactive at the same time, their data will be co-mingled. Isn't that risky?
Answer: Data is co-mingled at many points on its journey through the Internet, in TransPerfect's internal network, and eventually in Trial Interactive. Just as effective controls have been developed to segregate data on the Internet, TransPerfect has implemented identity-based access controls in Trial Interactive to sustain the needed separation. Each user is identified and then authenticated to establish the session and each session is encrypted to maintain integrity and confidentiality.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: If a customer chooses the Trial Interactive multi-tenant product, is all the data and access still completely under a customer's control?
Answer: Yes. Even though Trial Interactive may be hosted as multi-tenant, it is still a completely closed system for each customer. This means that customers must explicitly invite each and every user to access Trial Interactive and that all data collected in Trial Interactive is stored securely and within the customer's full control.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: At a technical level, please describe the security architecture and security data model of Trial Interactive.
Answer: The servers used are all hardened-kernel Linux with an externally facing hardware firewall, backed by an auto-correcting application layer firewall with intrusion detection. An important characteristic of the Trial Interactive architecture is the separation of customer data. We take data segregation very seriously and understand our customers' concerns regarding data cross-population in a SaaS model. Trial Interactive leverages multiple checkpoints to verify that data bleed does not occur.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: Why did we choose to use a third party for Trial Interactive hosting?
Answer: Advanced web service and messaging capabilities allow us to consider distributed architectures that leverage cost-effective third-party alternatives to host where it makes the most business sense (e.g. for less intricate modules of our software) without compromising quality. In short, Trial Interactive takes advantage of these newer capabilities that work better for applications that require improved scalability and reliability. Specifically, the use of the Cloud allows for a greater degree of horizontal scalability, so that we can ensure our customers always achieve a high-quality user experience and performance when using TI.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: What kind of encryption is used by Trial Interactive?
Answer: Trial Interactive uses double encryption (at-rest and in-transit). TLS is used to encrypt all data-in-transit. For data-at-rest identify information (passwords) uses the SHA-512 hashing algorithm.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: Please describe the security testing processes used for Trial Interactive.
Answer: Trial Interactive has been tested by a 3rd party security testing firm, using a standard black-box attack test, as well as a white-box internal attack test. External DOS (Denial of Service) attacks are also prevented.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: What are the standard password and session requirements for suppliers using Trial Interactive?
Answer: Users are identified by their email address, with verification of this email address by the customer providing access to this closed system. For Multi-Tenant customers, Passwords must be a minimum 6 characters long, with uppercase, lowercase, numbers, and punctuation marks required. Passwords expire by default every 90 days, and users cannot re-use their last 3 passwords. Users failing their authentication five (5) times for either login or eSignature are locked out of the system, requiring account reset by their customer. All sessions are subject to an interactivity timeout of 5 minutes. All of these options may be modified for Single-Tenant customers.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: Is Federated Identity supported by Trial Interactive?
Answer: Yes. Trial Interactive serves as a Service Provider (SP) for SAML based authentication requests from an Identity Provider (IdP)
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: Please define how general facility access is managed for Trial Interactive? What kinds of safeguards exist to prevent unauthorized access?
Answer: Trial Interactive utilizes AWS for all Trial Interactive hosting. The selected hosting provider provides virtual servers in an SSAE 16 SOC 2 (formerly SAS 70) data center that incorporates safeguards at the physical, logical, network, and data access layers of their infrastructure in accordance with this certification.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: Does TransPerfect allow external access to the Trial Interactive network? If yes, how is it controlled and monitored?
Answer: TransPerfect designs and manages all access into the Trial Interactive cloud services environment as per the access management procedure. Third-party firewall technology is deployed at our perimeter to guard against unauthorized access and access to these devices is controlled via access control lists that are maintained by select resources in our operations organization. All communication is restricted to HTTP and HTTPS (ports 80 and 443) all other access is denied. An intrusion prevention system is deployed to alert SaaS operations of unauthorized attempts to access the cloud services environment. Application tiers that support the cloud services environment are segmented and to provide further security against unrestricted access.
Access to the Trial Interactive cloud services environment by internal TransPerfect resources is strictly controlled and based upon roles. Access request are made in the Trial Interactive access control system and require executive and operations approval. The access control system will track and record the steps in the approval process. The Trial Interactive Cloud Services environment runs on a segregated network from the corporate network and requires a separate set of credentials to be accessed. Logs are kept and reviewed for internal TransPerfect resources accessing the Trial Interactive cloud services environment.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: Does TransPerfect have SOPs in place to address the control and access to the Trial Interactive virtual data center and network?
Answer: Yes. The allocation and use of any privileges in a multi-user information system environment are both restricted and controlled, i.e., privileges are assigned by role; privileges are allocated on a need-to-use basis; privileges are allocated only after formal authorization process per TransPerfect logical access policy. The policy addresses those systems where every user is granted access (email account, for example) and others where explicit access is required.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Question: Does TransPerfect maintain a list of current and historical users that have/had access privileges to Trial Interactive? Does TransPerfect have SOPs in place to monitor unauthorized access attempts? Are logs and reports maintained?
Answer: Yes. Operating system logs include IP addresses, attempted / unsuccessful and successful logins.