Effective date: October 11th, 2019
Saama’s Information Security Program uses “Security by Design”; control is built in at the design phase. By using the most advanced technologies and techniques, we are able to protect your data against the newest threats in the world of increasing risk. Encryption everywhere, Data Loss Prevention, Malware protection at the platform level as well as the perimeter, multi-factor hardened systems as well as proprietary techniques are tested continuously and validated regularly by independent testers.
Data security is paramount for Saama and our customers. Saama protects customer data with world-class physical, network, application, and data-level security. In addition, Saama invests in the most advanced and modern infrastructure available to provide an innovative, scalable, global, predictable, and secure environment.
Saama maintains a comprehensive security program based on ISO 27001 to ensure the confidentiality, integrity, and availability of customer data. Saama is committed to ensuring our services are available for operation and use at times set forth in service-level agreements, protected against unauthorized physical and logical access – including biometric entry authentication and 24/7/365 onsite monitoring – and that our system processing is complete, accurate, timely, and authorized.
Saama is committed to continuously improve quality within the global regulatory landscape. We maintain a robust and inspection-ready Quality Management System inclusive of policies and procedures to ensure that our software products and services are developed, implemented, and maintained in a manner that meets the needs and expectations of our clients and ensures compliance with applicable regulatory requirements.
We at Saama take stewardship of patient data very seriously. Saama is committed to positive accountability for how we steward your sensitive clinical trial data anywhere on our platform. At Saama, we have a robust GDPR compliance program and Privacy Shield certification (Comprehend Business Unit). We focus on the most stringent standards in the market, not just reaching the minimum requirements by law. Privacy protection is built into the entire Product & service lifecycle at Saama.
ISO (INTERNATIONAL ORGANIZATION FOR STANDARDIZATION) 27001
Saama has achieved ISO (International Organization for Standardization) 27001 certification for our Information Security Management Systems (ISMS).
ISO 27001 is a globally recognized security standard that provides a guideline of the policies and controls that an organization should have in place to secure their data. The standard sets out internationally agreed upon requirements and best practices for the systematic approach to the development, deployment and management of a risk/threat based information security management system.
Global Data Protection Regulation (GDPR) – EU
Saama has been proactive with GDPR compliance. Saama have implemented GDPR compliance program. Saama’s GDPR program includes comprehensive reviews of business processes, systems and practices that interact with personal data.
Saama, as a Data Processor, collects and stores a minimum of Personal Data only as instructed by our Customers (the Data Controller), for the purposes of delivering the Saama Services in line with Data Processing Agreements (DPAs).
EU – U.S. Privacy Shield
Saama participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Saama adheres to the Privacy Shield Principles. Saama is committed to subjecting all Personal Information received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List.
Saama is HIPAA-compliant as a Business Associate and complies with both the Privacy Rule and Security Rule.
Saama supports customers that are subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (collectively, “HIPAA”). Under HIPAA, companies have obligations to meet certain privacy and security standards with regard to Protected Health Information (“PHI”).
Organizations that act in support of Covered Entities, as defined in HIPAA, are “Business Associates.” Organizations, such as Saama, that support Covered Entities through the storage and processing of PHI are Business Associates.
For any inquiries regarding PHI, HIPAA, security, privacy, please contact firstname.lastname@example.org.
Saama’s software security framework
- Architecture and design
Secure software begins with product design. Saama developers work with a specialized architecture team to plan new features built on strong security architecture options. Design reviews and checkpoints help developers ensure that they are incorporating secure design concepts into Saama products. And the architectural design helps developers maintain critical security properties, as well as proactively address known security weaknesses.
- Software Development standards, testing and validation
We adhere to strict development standards and perform a variety of testing and validation processes that include both internally developed and third-party scanning and vulnerability tools. Follow-up assessments help ensure that any vulnerabilities found are addressed before a product’s release.
- Agile – Product development methodology
Well-defined Life Cycle for Project executions covering the operation from Planning till post deployment support is in place. A right mix of Risk Based Validation and customized agile Methodology approach for GxP Systems is deployed in Saama to focus on Critical Business Processes. Risk Management and Change Management framework serves the purpose of continuous evaluation of changing business / stakeholder needs.
While Saama have an established QMS, it is also agile enough to accommodate client specific processes or a hybrid of Saama and Client QMS for a seamless integration with client QMS for ease of program executions on need basis.
- Commitment to provide secure solutions
Saama is committed to provide secure solutions and hosted operations for all its customers. Saama LSAC is hosted on Amazon Web Services (AWS). Saama uses AWS as its primary cloud infrastructure provider to meet Saama customers’ growing needs.
- LSAC Information Security
Saama has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk with data following are the general example covering the brief of controls implemented:
- Data at rest encryption: Strong Data Encryption (AES 256) during storage, use of transparent encryption where it’s applicable.
- Data in Transit: Data is secured with SSL / TLS 1.2. Provision to enable custom cipher/encryption key mechanism for client side encryption.
- Confidentiality: LSAC leverages AWS infrastructure and has the capability to ensure the ongoing confidentiality through system security features such as role based access for infrastructure components/services, application data store, application view layer. Role based can be configured based on functional roles, geographical locations, departments and various other parameters.
- Data Integrity: Robust authentication mechanism, LSAC features to use SAML, OAuth, and LDAP authentication mechanism and provide seamless single sign on in accordance with corporate security standards of our customers.
- Audit Trail & Logs: Audit trail & usage logs are available to track & analyze access patterns.
- LSAC 21 CFR Part 11 and EU Annex 11 Compliance
Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).
European Union (EU) Annex 11 covers the interpretation of the principles and guidelines of GMP-regulated activities to computer systems
Saama’s LSAC enables customers to meet their compliance need with 21 CFR Part 11 and EU Annex-11.
Learn more about How Saama’s LSAC supports 21 CFR Part 11 and EU Annex-11 Compliance
- Audit Inspection Support for Saama’s offered Product and Services
As part of providing services to its Customers, Saama also extends support during any Regulatory Inspection. As Data Processors, the experienced team at Saama, supports its customers with regard to the engagement of work as mutually agreed. Saama Team has supported its Customers during inspections from Regulatory Agencies successfully. During inspections, the Saama Services team is highly available and provides round the clock support as per mutually agreed engagement.
- Audit Inspection Support Activities
- Clarify on the scope of inspection and understand the expected support
- Setup a Dedicated support team and identify SPOC
- Accessibility to SME pool, as required
- Support team includes Software developers, industry SMEs, Cloud Specialists, Validation Experts and Service Consultants
- Commitment towards contractual obligation as a Data Processor
- Establish confidence of organization and security measures from GDPR and other standards
- Co-opted approach towards addressing the inspection requirements initiative driven by Management
- Proven successful track record
Cloud Computing Infrastructure
Saama leverages the global footprint and regulatory compliance of AWS cloud-computing infrastructure, Saama provides an internationally accessible platform that meets scalable, predictable, stringent privacy, security, and reliability standards.
AWS provides the most reliable, regulatory compliant, secure, cloud environment available today. Redundancies exist at the virtual machine (VM), datacenter, and regional levels. This allows us to offer Service Level Agreements (SLAs) guaranteeing 99.99% availability.
The IT infrastructure that AWS provides is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies:
- SOC 1/ISAE 3402, SOC 2, SOC 3
- FISMA, DIACAP, and FedRAMP
- PCI DSS Level 1
- ISO 9001, ISO 27001, ISO 27017, ISO 27018
AWS is Privacy Shield certified and has entered into the EU Model Clauses and a Business Associate Agreement (HIPAA) with Saama. See further AWS Certifications. To ensure conformance with local regulations, application data resides and is backed-up in key geographic regions — U.S. (West and East Coast), Europe (Germany and Ireland), and Japan.
For details Refer https://aws.amazon.com/compliance/programs/
Saama’s Customer can take advantage of multi-layered security provided by AWS across physical datacenters, infrastructure, and operations in AWS. Gain from the state-of-art security delivered in AWS data centers globally. Rely on a cloud that is built with customized hardware, has security controls integrated into the hardware and firmware components, and added protections against threats such as DDoS.
- Data Back-up & Storage
Unlimited, secure, encrypted, geo-redundant data storage via AWS Site Recovery, guarantees accurate and seamless back-up and disaster recovery.
Access Out-of-the-Box Features in 4 Weeks—Guaranteed.
Saama can put you on the fast track to clinical trial process innovation.