At Vodori, we take security seriously. Our software, infrastructure, operations, and HR policies are all designed with a focus on data security. We believe that by providing transparency concerning our data security practices, you will better understand just one of the benefits of utilizing Vodori’s software to transform your business processes.
Our Compliance With Data Security Requirements
Vodori has decades of experience working in and developing software for life sciences. We know that your business requires you to maintain security with respect to company and customer data and for purposes of your compliance with applicable laws. Vodori’s rigorous compliance program focuses on data security, SDLC and infrastructure, risk management, and how we select and assess our vendors.
Vodori annually completes a third party SOC 2 Type II audit for the security, availability, and confidentiality principles, demonstrating Vodori’s commitment to our customers’ data security and privacy. Vodori implemented the security and compliance automation platform Drata to continuously monitor the company’s SOC 2 security controls year-round.
To obtain a copy of the SOC 2 Type II report, please contact your Customer Success Manager or Vodori Account Executive.
Vodori processes data in a manner that is designed to comply with EU General Data Protection Regulations (GDPR), adhering to comprehensive internal privacy and security practices and policies, including with respect to:
employee security and data privacy training,
vendor data privacy, compliance, and risk assessment,
handling data information requests,
data collection, consent, and retention, and
data breach response.
ISO 27001 Compliant Data Centers
Vodori partners with Amazon Web Services (AWS), a SOC 2 Type II and ISO 27001 certified data center that provides a high degree of availability and security for our software. AWS’s SOC 2 and ISO 27001 compliance requirements provide systematic evaluation of risks, threats, and vulnerabilities through a set of established controls.
GxP & FDA 21 CFR Part 11: Compliance and Software Validation
Pepper Cloud meets specific requirements in the FDA’s regulations pertaining to the use of electronic records and the capture of electronic signatures (i.e., FDA 21 CFR Part 11). Pepper Cloud also is in compliance with certain other applicable industry standards and good practice guidelines relating to the maintenance of documentation, including GxP. Our rigorous validation program was designed by industry experts with years of experience. Our SOC 2 report includes testing of controls supporting our validation processes.
Our Data Security Measures Data Storage & Encryption
Data Storage and Encryption at Rest
The Pepper Cloud architecture is designed. Pepper Cloud uses:
a redundant, fault-tolerant database that is deployed across multiple availability zones, and
Amazon’s highly available and highly redundant storage architecture.
Our data volumes are encrypted at rest with AES-256 encryption. Network communication between Pepper Cloud and the database is encrypted.
Customer binary data is logically separated by customer in AWS and protected using customer-specific policies. Data stored in AWS is encrypted at rest using customer-specific encryption keys and AES-256 encryption. Network communication between Pepper Cloud and AWS is encrypted.
Pepper Cloud uses unique encryption keys for each customer to encrypt:
- the credentials for each database used to store customer data,
- OAuth2 credentials used for authentication between applications,
- sensitive configuration values (such as external authentication provider credentials), and
- customer data.
Pepper Cloud uses a strong one-way hashing algorithm with unique salts, to store user passwords. These passwords are not recoverable by inspection of the data and are only ever known to the end user.
Data Encryption in Transit
All communication between you and Pepper Cloud is encrypted via HTTPs using TLS v1.2. Additionally, all data exchanged between internal and external services is also encrypted.
Applications requiring authentication (including mobile applications) require the use of OAuth2 or SAML authentication protocols.
SAML & OAuth2 Based SSO
Pepper Cloud’s SSO is based on industry standards SAML and OAuth2/OpenIDC for managing user authentication. Our SSO is able to integrate with third-party SSO providers such as: Microsoft Azure Active Directory, Google Apps, PingFederate, Auth0, and Okta.
Web Application Firewall (Threat Detection & Intrusion Detection)
Vodori uses a Web Application Firewall (WAF) to protect against cyberattacks. Our WAF is integrated with a managed 3rd party Intrusion Detection System (IDS) and Intrusion Protection System (IPS) that is deployed between public traffic and our applications to continuously monitor network traffic and report and block suspicious activity. If suspicious activity is identified, it is logged and escalated to Vodori’s CTO & Engineering Team.
Vodori uses separate security groups for purposes of permitting only appropriate traffic between systems within AWS.
Pepper Cloud uses browser protections such as HTTP Strict Transport Protection.
Storage Device Decommissioning
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process designed to prevent customer data from being exposed to unauthorized individuals. AWS uses techniques detailed in DoD 5220.22-M (National Industrial Security Program Operating Manual ) or NIST 800-88 (Guidelines for Media Sanitization) to destroy data as part of the decommissioning process, with magnetic storage devices being degaussed and physically destroyed in accordance with customary practices in the industry.
Pepper Cloud does not archive or purge any information stored in the system unless requested by the customer.
Standard Operating Procedures
Access to Data at AWS
Access to customer data by Vodori is restricted to only authorized Vodori personnel. All production data access at AWS is logged and reviewed on a regular basis.
Access to Data in Pepper Cloud
To support our customers and end-users, the following teams have access to each customer-assigned Pepper Cloud environment:
Customer Success Manager(s)
Customers are able to view, report, and modify this access using Pepper Cloud’s User Management solution. Data is not stored or retained by Vodori employees.
Regular Updates / Patch Management
All patches are downloaded and tested on non-production servers monthly prior to installation in production. Deployment into production is scheduled based on the results of testing patches in non-production environments. Patches are evaluated based upon security risk, benefit to the system, and danger to the overall network. Patches and hotfixes deemed necessary are installed within thirty (30) days of release or notification. Critical patches are applied within 72 hours. Non-critical patches are applied during the monthly network maintenance window.
Physical access at AWS is strictly controlled both at the perimeter and at building access points by trained security staff utilizing video surveillance, intrusion detection systems, and other electronic systems. Read more on AWS physical security.
Vodori employees do not have physical access to data centers. Access to Vodori offices is granted only to authorized individuals and is physically protected by key fob, which is required at all entrances.
All laptops, workstations, and portable devices that store or access Vodori protected or customer data are encrypted.
Electronic transfer of Vodori protected and customer data is transferred via an encrypted channel (SSL, SFTP, VPN).
Any physical transfer (e.g. DVD) of customer data is also encrypted.
Access Control Policy
Vodori institutes the following access controls, which are designed to minimize potential exposure resulting from unauthorized use of resources and to preserve and protect the confidentiality, integrity and availability of the networks, systems and applications:
Employee access to systems is restricted based on need.
Access is through named accounts which require MFA to sign in.
Access to systems is logged.
No unapproved devices may access the Vodori network.
Segregation of duties is used to require that proper authorization is performed prior to access.
Vodori requires antivirus software on all operating systems to improve the overall security of Vodori-managed networks.
Computer Security Policy
Vodori has established standards for computer security to protect against unauthorized access to employee computers. This policy includes requirements for computer locking, compliance with encryption and password policies, staying current with operating system patches, and computer decommissioning.
Our Performance and Reliability Methods
Pepper Cloud is hosted at Amazon Web Services (AWS), who maintains compliance with globally recognized auditing standards including SOC 1/2/3 and ISO 9001/27001/27017/27018.
To help protect against DDOS attacks, Pepper Cloud uses web application firewalls, load balancers, and fully managed security services to monitor and tune the web application firewall 24x7x365.
Application clusters are deployed across multiple availability zones to provide continued availability.
Backups of customer data occur at least daily, are stored in secure data centers, and are encrypted at rest using the customer-specific encryption key using AES-256 encryption. Backups are stored in logically separate locations, which automatically replicates data across multiple data centers. Backup restoration procedures are routinely tested.
Monitoring, Logging, and Reporting
Vodori uses real-time monitoring and error-tracking software which gives Vodori’s SRE and Product Teams insight into production deployments and information to reproduce and fix errors.
Pepper Cloud applications are configured to send critical errors for review and triage by the SRE and Product Teams. Issues that get addressed in future releases of the product are tracked as part of Vodori’s SDLC and release notes.
Each application within Pepper Cloud implements health checks that return information about the application’s availability. Real-time health checks monitor each application’s status and can automatically restart an application if the health check fails in an attempt to restore service. Vodori’s Engineering Teams are notified of this event.
Vodori also utilizes a digital intelligence platform allowing product and infrastructure engineers to measure and monitor the performance of Pepper Cloud applications and infrastructure.
Disaster and Data Recovery
Vodori has a standard operating procedure for disaster and data recovery that is practiced biannually. Results of the disaster recovery procedures are documented and preserved according to the Vodori data retention policy, with a postmortem report made available to customers on an annual basis.
Vodori operates with a Recovery Point Objective (RPO) of 4 hours and a Recovery Time Objective (RTO) of 24 hours.
Our Code Security Measures
Secure Software Development & SDLC
Vodori has designed and implemented a secure software development life cycle (SDLC) based on GxP guidelines which integrates comprehensive security practices from start to finish.
Comprehensive security and penetration scans are performed using a third-party toolset prior to completion of each product release — at compile time and runtime.
All issues identified by the tools are reviewed and appropriately mitigated before the release is promoted to production.
We build our products using the “Security by Design” principles, a process and mindset that anticipates security features through the entire development process.
Passwords, access tokens, and sensitive configuration files are not stored in Vodori’s Version Source Control (VCS) system.
All production builds of Vodori software have integrated code and framework dependency security checks that fail builds for any Critical or High reported concerns.
Vodori engineers develop using test data and do not use production customer data.
Applications do not log user sensitive information such as passwords, access tokens, or any other information which could lead to an account or system being compromised.
Code Peer Review
Vodori requires that all code merged into production code branches are reviewed and approved via a Pull Request and that code reviews follow Vodori’s Code Reviews standards.
Quality Assurance (QA)
Quality Assurance is integrated into our process, from individual code changes all the way through preparing a release for our customers. Each feature or change developed in Pepper Cloud is tested using a combination of unit, integration, and regression test scripts as appropriate. All releases of Pepper Cloud undergo rigorous regression and security testing prior to release.
Vodori tests in a separate test environment, within a separate AWS account, so that production and customer data is separated from test data.
Each day, new threats and vulnerabilities are discovered. To help protect your data against external attackers, we’ve designed and implemented a strict vulnerability management process into our SDLC.
All builds of Pepper Cloud include an updated integrated code and framework dependency security check. If there are any reported critical or high risk issues, Pepper Cloud will not build or deploy. Vulnerabilities identified as medium- or low-risk will be reviewed and addressed as needed. Further, all of our applications are security scanned so that bundled middleware is checked for known security issues. Pepper Cloud builds will fail for any CRITICAL or HIGH issues reported via container scanning.
Software Release Process
In preparation for a release, Vodori prepares the internal Release Notes and the Release Checklist to facilitate the release process. Release Notes describe the purpose for the release, outline the changes being made in the release, include the associated tickets, and provide any other important context. The Release Checklist describes detailed steps needed to perform the changes in the target environment.
All development tickets are systematically associated with a specific release, and upon completion of all tickets for a particular release, the release branch can be created. The release branch segregates all code for that particular release, which can then be deployed to the target environment.
The System Owner, Quality Assurance team, and SRE Team meet to review the Release Checklist with a focus on making it clear, complete, and accurate.
After a release branch has been created, a security scan is executed to identify and report any security risks that exist within the application code. All releases performed by Vodori must pass a security scan, or have a formal exception granted, before the code can be deployed to a validation or production environment.
When the scan is complete and any identified vulnerabilities are resolved, a code freeze is placed on the release branch. No changes may exist in a release that were not present during the security scanning process and execution of validation. Should additional changes be needed for any reason, a new scan must be executed or an exception must be granted.
Once the code freeze is effective, validation testing is executed according to the Software Validation Procedures.