Security Policies Overview for IntelliseqFlow Platform and Intelliseq Services

Effective: April 26th, 2021

Introduction

The Security Policies Overview is a shortened excerpt from the complete Security Policies catalog of documents which are part of Intelliseq internal documentation as required by The General Data Protection Regulation (EU) 2016/679 (GDPR), Health Insurance Portability and Accountability Act, ISO13485, and ISO27001. This document is incorporated as a part of Intelliseq’s Terms of Service available at https://flow.intelliseq.com/terms-of-use and Privacy Policy available at https://flow.intelliseq.com/privacy-policy, to which Business Customer has agreed and accepted or a signed Business Associate Agreement or other similar written agreement between Intelliseq and Business Customer. In this document for the Intelliseq Services references to “Intelliseq” will refer collectively to Intelliseq sp. z o.o., located in Krakow (30-046), Stanislawa Konarskiego street 42/13 and its Affiliates. The term “Business Customer” will refer to Business Customer Company and its Affiliates. The purpose of this Security Policies Overview is to describe the security issues handling Intelliseq Services. This Security Policies Overview describes the security standards that Intelliseq implemented and critical issues handling in order to protect Business Customer Data from unauthorized access, use, or manipulation. Intelliseq reserves the right to update this Security Policies Overview in the future.

Lawful basis and transparency

Intelliseq operates exclusively in a Business to Business model and does not own the processed data nor does control it. This means that Intelliseq is not able to change the purpose and how the data is used. The requirement to obtain all specific requirements relies
on the Business Customer which is the Data controller.

Intelliseq maintains an up-to-date and detailed list of processing activities and is prepared to submit that list to regulatory authorities upon request. The information that is stored includes the purpose of the processing, identifiers of data that were processed, who has access to it. This information persists even after the original data was removed. Intelliseq has a clear data removal policy which is 30 days after the last data accession either during upload or for analytical purposes. This period can be extended upon Business Customer request.

Intelliseq Certificates

Intelliseq has obtained the following security-related certifications:

  • EN ISO13485:2003/AC:2007 certification. ISO 13485 Medical devices, Quality Management Systems and Requirements for Regulatory Purposes is an International Organization for Standardization (ISO) standard published for the first time in 1996. It represents the requirements for a comprehensive quality management system for the design and manufacture of medical devices. This certification includes appropriate controls in the work environment to ensure product safety and focus on risk management activities and design control activities during product development.
  • European Molecular Genetics Quality Network (EMQN). This certification includes assessment of genotyping and quality of raw data for laboratories performing NGSbased germline testing.

Organization security

Security Organization. Intelliseq’s security program includes administrative, personal, technical, and physical protections designed to protect the confidentiality, integrity, and availability of Business Customer Data. Intelliseq has a separate dedicated team that manages Intelliseq’s security framework. This team facilitates and supports independent third-party audits and assessments. Intelliseq’s security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Data Security, People Security, Vendor Security, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, Product Security, Cloud and Network Security, ThirdParty Security, Vulnerability Management, and Incident Response. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Intelliseq employees for their reference.

Intelliseq has a procedure for notifying the authorities and data subjects in the event of a data breach within three working days.

Data Security

Intelliseq implemented data protection by design and by default. Data protection is taken into account during all decisions.

Encryption at Rest and in Transit. For Intelliseq Services, IntelliseqFlow cloud platform supports TLS 1.2 to encrypt network traffic transmitted between a Business Customer application and Intelliseq’s cloud infrastructure. All data is retained redundantly across
availability zones and is encrypted at rest using 256-bit Advanced Encryption Standard (AES256) server-side encryption.

People Security

Intelliseq currently verifies the education, previous employment, and references of each candidate. Intelliseq has a security policy that provides team members with knowledge of email security, passwords, two-factor authentication, and device encryption. Intelliseq has
implemented clear role-based access permissions. All Intelliseq employees must complete Intelliseq Security and Privacy Training, which includes Intelliseq Security Principles, Security Best Practices, and Privacy Policies. Employees who have access to personal data and nontechnical employees undergo additional training on the requirements of the GDPR. Intelliseq’s dedicated security specialist also gives lectures on new threats.

Intelliseq cares about the confidentiality of Business Customer Data that Business Customer makes available to our company. All Intelliseq employees and contract personnel are obliged by Intelliseq’s internal policies regarding securing the confidentiality of Business Customer Data.

Vendor Security

Intelliseq may use external suppliers to provide the Services. Intelliseq conducts a security risk-based assessment of potential suppliers before working with these suppliers to verify that potential suppliers meet Intelliseq’s security requirements. Intelliseq periodically reviews each provider in the context of Intelliseq’s security and business continuity standards. It includes the type of access and classification of data accessed (if any), controls necessary for data protection, and legal/regulatory requirements. Intelliseq ensures that Business Customer Data will be returned and/or deleted after the end of the supplier relationship. Telecommunications service providers are not considered subcontractors of Intelliseq. Intelliseq enters into agreements with Business Partners with all of its Suppliers, which include confidentiality, privacy, and security obligations that ensure an adequate level of protection of data contained in the Business Customer Data that may be processed by these Vendors.

IntelliseqFlow is hosted by Google Cloud. The current location of the Google Cloud data center infrastructure used in providing Intelliseq Services is located in the United States. We are planning to allow Business Customers to choose location and cloud provider (Google Cloud, AWS, Azure) in the future. More information about the security provided by Google Cloud is available from the Google Cloud security webpage available at https://cloud.google.com/security. Intelliseq’s production environment within Google Cloud, where Business Customer Data and Business Customer-facing applications sit, is an isolated Virtual Private Cloud (VPC).

Network Security

For Intelliseq Services all network access between external environments and production hosts is restricted, using firewalls and token-based authentication to allow only authorized services to interact with the production network. Firewalls manage the separation of
networks between different security zones in the production and enterprise environment. Intelliseq separates Business Customer Data using UUID identifiers marking all communications data with the associated Business Customer ID to identify ownership. Intelliseq’s APIs are designed and built to identify and allow access only to and from allowed entities tags and enforce access controls. This is to ensure the confidentiality and integrity requirements for each Business Customer are appropriately addressed. These controls are in
place so one Business Customer’s communication cannot be accessed by another Business Customer.

Physical Security

Google Cloud data centers that host Intelliseq Services are strictly controlled both at the perimeter and at building ingress points by professional security staff. Google designs and builds its own data centers, which incorporate multiple layers of physical security protections. Access to these centers is limited to only a very small fraction of Google employees. We use multiple physical security layers to protect our data center floors and use technologies like biometric identification, metal detection, cameras, and vehicle barriers. Google additionally hosts some servers in third-party data centers, where we ensure that there are Googlecontrolled physical security measures on top of the security layers provided by the data center operator. For example, in such sites, we may operate independent biometric identification systems, cameras, and metal detectors.

Access Control

To minimize the risk of data disclosure, Intelliseq follows the principles of least privilege by an organization and a project-based access control model when allocating access to the system. Intelliseq personnel can be granted authorized access to Business Customer Data after acceptance by a security officer based on their job function, role, and responsibilities. Such access will be visible to the Business Customer in the project administration panel. An employee’s access to Business Customer Data is promptly removed upon termination of their employment. To access the production environment, an authorized user must have a unique username and password, multi-factor authentication. Before an engineer is granted access to the production environment, access must be approved by management, and the engineer is required to complete internal training. Intelliseq logs high-risk actions and changes in the production environment.

Intelliseq’s current policy for employee password management follows the GDPR guidance, and as such, our policy is to use longer passwords, alongside multi-factor authentication. The authentication system is hosted on AWS and is a separate part of Intelliseq Services. When a Business Customer logs into its Intelliseq account, Intelliseq hashes the credentials of the user before it is stored. A Business Customer may also require its users to add another layer of security to their account by using two-factor authentication (2FA).

Change Management

Change requests are documented in a formal ITSM system. Intelliseq has a formal change management process to manage changes to software and workflows that are deployed within the production environment. Besides the production environment, Intelliseq has staging and test environments. Before a risk-prone change being introduced, an assessment composed of formalized testing procedures is carried out in the staging environment to consider the impact and risk of a requested change. This is required for the approval of new deployment into production by appropriate approvers.

Vulnerability Management

Intelliseq vulnerability management involves independent third-party entities to conduct application-level penetration tests. Results of penetration tests are remediated appropriately by Intelliseq’s security or development teams.

Intelliseq developed policies to reduce the risk from security vulnerabilities in an appropriate time frame that includes balancing risk and the business/operational requirements. Critical software patches are evaluated, tested, and applied proactively. For the Intelliseq Services, operating system patches are applied through the regeneration of docker images and deployed to all nodes and pods in the Intelliseq cluster.

Intelliseq maintains security incident management policies and procedures following the GDPR. Intelliseq assesses the threat of all significant vulnerabilities or security incidents and determines corrective and mitigating actions for all incidents. Intelliseq keeps security logs for five years. Access to these security logs is restricted to the Security Manager, Development Team Leader, and dedicated development team person. Intelliseq uses Kubernetes tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.

After detecting or notifying about any Security Incident, Intelliseq will immediately investigate such a security incident, promptly notify Business Customers, notify appropriate institutions within 72 hours.

Service availability and resilience. Intelliseq infrastructure for the Intelliseq Services uses a variety of tools and mechanisms to achieve high availability and resiliency. For the Intelliseq Services, Intelliseq’s infrastructure spans multiple fault-independent AWS availability zones in geographic regions physically separated from one another. For Intelliseq Services, there are manual or automatic capabilities to re-route and regenerate hosts within Intelliseq’s infrastructure.

The Intelliseq infrastructure is capable of detecting and avoiding problems experienced by hosts and even entire data centers in real-time and uses orchestration tooling that can regenerate hosts by building them from the latest backup. Intelliseq uses specialized tools
that monitor server performance, data, and traffic load capacity in each availability zone and colocation data centers. If suboptimal server performance or overload is detected on a server in an availability zone or colocation data center, these specialized tools will increase capacity or shift traffic to reduce suboptimal server performance or capacity overload. Intelliseq will also be notified immediately and will be able to take immediate action to remedy the cause(s) of these problems if specialized tools are unable to do so.

Disaster Recovery

Intelliseq services and the platform are focused on data analysis and not on data storage. Intelliseq hosts Business Customer data only in one region and upon disaster, the data will be lost. All other parts of the platform including code, database of user activities, and log data are backed up into at least one additional region. Similarly, source code for workflows as well as docker images are hosted on multiple sites.

Custom Workflows

Intelliseq develops custom workflows upon request from Business Customers. Custom workflows are hosted on a separate git repository for which only Intelliseq and Business Customer have access. Data required to build docker images are hosted on a separate Google Cloud disk for the time of at least six months, which can be extended by the service agreement. Docker images themselves are hosted on a Google Container Registry repository to which only Intelliseq and Business Customer have access. Custom workflows are built using the same rigorous security procedures as native workflows on the IntelliseqFlow platform.