DistillerSR has enterprise-grade security and compliance in place to safeguard your data and ensure optimal service availability.
DistillerSR builds security, scalability, and availability into everything we do so you can focus on producing evidence-based research faster, more accurately, and more securely.
We undergo an annual independent third-party audit and certify our products using the American Institute of Certified Public Accountants SOC 2 framework. The audit covers the security trust principle.
DistillerSR’s SOC 2 Type II report is available upon request with completion of a
standard non-disclosure agreement.
DistillerSR has documented processes that outline a response plan for security events and incidents. Incidents are initiated when activities fall outside the boundaries defined within controlled processes, or when security or data integrity is deemed to be at risk.
Included in the incident management process is the evaluation and use of Corrective and Preventive Actions (CAPA). The CAPA management process ensures appropriate actions are taken to address the root cause of the event and mitigate future recurrence. Regular meetings are held to review incidents and CAPA, identify and assess trends, and provide status updates.
The DistillerSR platform is hosted on Amazon Web Services (AWS) and is designed to have minimal surface area exposed to potential attackers. All traffic flows through the Amazon Web Application Firewall (WAF).
DistillerSR stores application data in MySQL hosted on AWS Relational Database Service (RDS) and provides logical tenant separation at the database level. High availability and data resiliency are achieved through Multi-AZ replication and daily automated snapshots.
DistillerSR is hosted through AWS data centers in the United States (us-east-1) and Europe (eu-west-1). These two instances are completely separate, and no data is transferred between regions.
DistillerSR uses multiple real-time monitoring services to ensure our systems have up-to-date patches, are available per service-level agreements, and are free from malicious activity, intrusion, and unauthorised behaviour.
Access to instances and databases is tightly controlled through authentication configuration controls.
DistillerSR’s business continuity procedures ensure that our service is available or easily recovered in the case of a disaster. We accomplish business continuity through our robust infrastructure, comprehensive recovery plans, and continuous testing. DistillerSR employs service clustering and network redundancies to eliminate single points of failure.
Customer data is hosted within AWS, which manages physical and environmental security of infrastructure and data. DistillerSR’s head office is a secure location. Key cards are required to access the premises.
DistillerSR uses the agile development methodology to manage changes within the product and system. All product releases undergo a definition process where functional and technical design requirements are collected and documented to guide software engineering and infrastructure teams in development and testing.
All software and infrastructure changes undergo a risk assessment to assess their impact. DistillerSR follows the GAMP 5 risk methodology to define impact against the following factors: severity, probability, and detectability.
Once a change has been developed, it undergoes extensive testing based on the original requirements and the associated risk assessment. If the change passes testing, it may be included in a release.
Product Data Management
Encryption of data at rest is performed using 256-bit Advanced Encryption Standard (AES-256).
DistillerSR uses AWS automated backups to protect the database, taking rolling snapshots of the database that can be Point-In-Time restored to any 5 minute interval.
DistillerSR maintains an audit log that tracks the creation, modification, or deletion of data and application configuration, as well as the context in which the data was changed. This audit log is accessible to customers in a read-only capacity and is designed to meet 21 CFR Part 11 audit log requirements.
User accounts are secured with usernames and passwords, the strength and complexity requirements of which are configurable by the account admin. DistillerSR will issue login credentials to the customer admin, who is then responsible for issuing access. Single sign-on (SSO) is available as an authentication type.
Privacy and Confidentiality
DistillerSR protects personal information and customer data by:
- Implementing extensive policy, network, and infrastructure security protections with respect to all information.
- Limiting the amount of personal information we collect from our customers and users.
- Training employees on our privacy and security programs and obligations to our customers.
- Strictly limiting access, disclosure, use, and transfer of customer data except at the direction of the customer or in accordance with contractual agreements.
- Using personal information only to provide services and never selling it to third parties.
- Retaining an external law firm to monitor changes in privacy law across the globe to ensure all required changes and updates are reflected in our privacy program.
- Requiring employees with access to customer data to undergo annual criminal record checks.
- Undertaking annual external SOC 2 Type II audits to ensure we maintain a high degree of compliance with our programs.
For more information, please review our Privacy Statement.
DistillerSR maintains policies, standard operating procedures, and work instructions to communicate business processes to align customer commitments with the security and privacy practices of employees and contractors.
New employees must complete training on the quality management system, security requirements, and code of conduct before transitioning into role-specific training.
Security awareness and data integrity training are performed annually to communicate updates to business and security requirements.
Our employees, contractors, or other personnel are subject to criminal record and reference checks before they are hired. Employees with access to customer data undergo annual criminal record checks.