Security at eLabNext
Security is a major concern for all organizations. At eLabNext, the safety of our platform and your data is a daily focus. Read this page to learn more about security at eLabNext.
eLabNext is a brand of Bio-ITech BV, part of Eppendorf group. Since 2016, Bio-ITech has been formally certified for ISO/IEC 27001, the globally accepted standard for information security management. This page identifies the measures we take to safeguard your data.
Data Center and Network Security
Physical Security | |
Facilities | Bio-ITech servers are hosted at ISEA 3402 or ISO 27001 compliant facilities in at least two geographically separated data centers. The Cloud for North American customers is hosted in the US. For customers in the rest of the world, the Cloud is hosted in Europe. Private Cloud installations are hosted in Amazon Web Services (AWS) Cloud data center in a region of preference of the customer. |
On-site Security | All servers are hosted from ISO 27001, SOCII, or ISEA 3201 compliant facilities. Our data center facilities feature a secured perimeter with 24/7 manned security, video surveillance, physical locks, and security alarms. |
Monitoring | The network availability is continuously monitored by Bio-ITech. In addition, server performance and uptime are monitored in real-time and when set thresholds are exceeded, due to abnormal events, Bio-ITech is notified. |
Location | Bio-ITech uses data centers in the US for customers from North-America and data centers within Europe for customers in the rest of the world. |
Data Removal | Bio-ITech handles information with great care and disposes all of its storage devices according to an ISO 27002 data destruction protocol. |
Network Security | |
Dedicated Security Team | Bio-ITech has a globally distributed security response team to respond to alerts and security events. |
Protection | Our system is protected by multiple firewalls, secure data transport using HTTPS encryption, regular security audits, and preventive measures to avert malicious network attacks. |
Architecture | Bio-ITech has multiple security zones with restricted access. Sensitive systems are secured with multi-level protection and only accessible by those who need admission for maintenance. |
Network Vulnerability Scanning | Bio-ITech assesses the security of application components periodically during Internal Software Security Audits. |
Third-Party Penetration Tests | Our applications are tested extensively for vulnerabilities in periodic Penetration Tests. |
Logical Access | Access to the Cloud and Private Cloud network is restricted on a need-to-know basis. Access requires multiple factors of authentication. |
Encryption | |
Encryption in Transit | All communication to end-users both from and to our data center is encrypted using an SSL (HTTPS) connection. eLabNext products use an Extended Validation (EV) SSL class III certificate that has been issued by COMODO CA Limited, a registered Certificate Authority (CA). Extended validation certificates are only issued to the most trusted service providers (including governmental institutes and banks) and are indicated by a green trust bar. |
Encryption at Rest | All backup data is encrypted and stored securely. |
Availability & Continuity | |
Uptime | Uptime of all Cloud and Private Cloud servers are monitored in real-time. In case of an event, our staff will be alerted and is trained to resolve issues. |
Redundancy & Backups | The Cloud is hosted in a fully redundant infrastructure to eliminate any single points of failure. All data is replicated in real-time and archived on a third database to ensure immediate recovery. Additionally, every 24 hours a full back-up of all data is stored in our encrypted vault in case of disaster recovery. |
Disaster Recovery | Bio-ITech has a Disaster Recovery procedure in place in case of a complete system failure. |
Escrow Agreement | To secure business continuity Bio-ITech provides an Escrow service. The source code of the application will be securely stored at an independent third party and will be released in case Bio-ITech fails to provide the required service. |
Application Security
Secure Development | |
Security Training | Bio-ITech organizes annual security trainings for all its staff to keep security awareness up-to-date. |
Quality Assurance | Dedicated testers review and test developed code for vulnerabilities. |
Separate Environments | Developing, testing and staging is done in separated environments, ensuring security of our applications. |
Product Security Features
Authentication Security | |
Authentication Options | In the Cloud, we offer eLab sign-in. In the Private Cloud, we offer the possibility to use Single Sign On (SSO) with Active Directory (AD/LDAP/AD FS). |
Single Sign-on (SSO) | eLabJournal and eLabInventory allow the authentication via Single sign-on (SSO). This is possible via AD, ADFS, SAML LDAP and SURFconext depending on the hosting option. |
Two-factor Authentication (2FA) | With two-step verification, users can be enforced to login with a two-step verification code in addition to their password. The two-step verification code is generated by their mobile device. 2-step verification provides a second layer of security to your account, making it more challenging for someone else to login as you. |
Secure Credential Storage | Bio-ITech adheres to all best practices for storing user passwords. Passwords are never stored in a human readable format and only stored as a secure, salted, one-way hash. |
API Security & Authentication | The eLabAPI is SSL-only and you must be a verified user to make API requests. You must always authorize with your username and password or with an API token to access data via the API. |
Additional Security Features | |
Access Privileges & Roles | eLabNext products support different system roles to allow full system control by an IT system administrator and Organization Key-Users. In addition to their role as a user, their access level can be promoted to allow full system control over the entire system, or per organization within the system, depending on the hosting solution. |
User Roles & Permissions | eLabJournal and eLabInventory support a comprehensive list of permissions that can be activated or disabled per user. Access to data within eLabJournal can be tightly controlled. Permissions can be configured to define granular access privileges and can be set by the group administrator. |
IP Restrictions | In the Private Cloud, you may choose to enable IP restriction to make the application only accessible on specific IP address ranges. These restrictions are applicable to all users and data stored in the application. |
Compliancy
Security Compliance | |
ISO 27001:2013 | Bio-ITech is ISO 27001 certified since 2016. |
GDPR Compliant | Bio-ITech complies with the EU General Data Protection Regulation requirements. In dedicated system installations, a system privacy policy can be enforced that blocks the end-user from adding personal data to their profile. |
21 CFR 11 Compliant | eLabJournal and eLabInventory comply to Title 21 CFR Part 11 of the Code of Federal Regulations, regulations on electronic records and signatures established by the United States Food and Drug Administration (FDA). |
FedRAMP | Bio-ITech is compliant, but not yet certified, with the Federal Risk and Authorization Management Program, a United States government-wide compliance program that sets a standardized approach for cloud products and services regarding their approach to authorization, security assessment, and continuous monitoring. |
Additional Security Measures
Security Awareness | |
Policies | Bio-ITech handles strict security policies covering a range of topics. These policies are made available to all personnel and contractors that have access to information of Bio-ITech or its customers. |
Training | All employees follow an extensive security awareness training after hiring to maximize security alertness. In addition, all software engineers receive an annual Good Coding Practice training in which security is a main topic. |
Employee Vetting | |
Background Checks | An extensive screening is performed on all potential hires for their educational and professional background during the hiring process. All new employees undergo a formal governmental screening procedure that includes a criminal background check during their trial period. |
Confidentiality Agreements | All employee contracts contain a Non-Disclosure and Confidentiality agreement. |
Talk to our Security Officer
Get in touch to learn more about how eLabNext ensures data security and compliance.
Subscribe to our newsletter
Stay up to date with our latest news, product announcements, and articles.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.