Aridhia is committed to protecting and respecting the privacy and security of your data. We look after your data carefully and are very open about what provisions we have put in place to ensure it is protected to help you meet your compliance obligations under UK & EU law, international standards and sector-specific standards.
We hope the following sections will answer your questions on how Aridhia approaches privacy and security.
Information governance and security management within Aridhia
Aridhia’s General Counsel acts as our Data Protection Officer and Compliance Officer, ensuring the company is aligned to all internal and external policies, laws, and regulations. The General Counsel is also a member of the company board.
Our Information Security manager is responsible for the day-to-day operational security, risk management and incident management, reporting into the COO.
Our Security Review Board provides oversight and direction relating to information security across all aspects of the Company.
Aridhia completed the ISO 27001 certification in June 2019, maintaining this certification through multiple audits. ISO 27701 certification was achieved in June 2022.
The Azure-hosted Aridhia DRE is also HITRUST CSF certified, and we also hold several UK certifications, some of which can be seen below.
- Aridhia ISO27001 certificate
- Aridhia ISO27701 certificate
- HITRUST CSF
- ICO Registration Certificate
- NHS Data Security and Protection Toolkit assessment
- Cyber Essentials
- Microsoft compliance documentation
General Data Protection Regulation
Aridhia achieves compliance with GDPR through the implementation of ISO 27701 policies and processes which ensure that:
- Information is processed on a lawful and transparent basis.
- Strong data security is achieved through design.
- Information security governance and accountability within Aridhia is clear.
- Individuals’ privacy rights are respected.
Software Development Lifecycle
In developing the DRE, Aridhia follows the OWASP Top 10 guidelines and uses tools to ensure our software complies with the OWASP best practice framework. Also, a “security by design” approach is followed.
We have many measures in place to ensure we follow a secure software development process, including:
- Coding controls are implemented.
- Privacy Impact Assessments are conducted.
- Frequent regression tests, both automated and manual, to ensure any work for new features does not introduce security flaws.
- Separate and secured development and test environments.
- Vulnerability scanning process are in place.
- Independent security companies conduct regular penetration tests.
Aridhia’s services are hosted within the Microsoft Azure cloud platform in the relevant country/region of your choice. Azure has all relevant information security and cloud certifications, including ISO 27001, ISO 27701, and CSA STAR.
All instances of the Aridhia DRE are deployed for specific customer organisations who may adapt our information governance framework to suit their needs. Aridhia is always the data processor, and the customer remains the data controller. Your use of the DRE is also governed by an agreement with that customer organisation.
Access to your data
We will not view your data unless you explicitly instruct us to. You may ask us to resolve a problem you are experiencing with the system, in which case we may need to access your workspace. We will not do this unless you confirm that you are happy for us to do so.
You might ask us to do some technical work to review your files or you may require professional services from our Enablement team. These use cases may require us to access your data, but it will happen only if you ask us to and we have received authorisation from the appropriate individual and/or committee.
About the Digital Research Environment
Within the DRE, security controls include:
- All user access is via HTTPS URL protected by a rooted certificate issues by DigCert SHA2 Secure Server CA, utilising sha256RSA signature algorithm with sha256 signature hashing algorithm. Will only utilise TLS 1.2 protocols or above.
- Encryption in transit. All internal network traffic is protected by HTTPS or, TLS 1.2 or above protocols.
- Encryption at rest. By default, Microsoft Azure encrypts data using FIPS 140-2 compliant 256 AES encryption for storage accounts and virtual machine disks.
- Two-factor authentication is required to access DRE services.
- The secure Workspace boundary is created through a virtual network configuration and enforced through a permissions model.
- An Intrusion Detection System and Intrusion Protection System is implemented with security alerts automatically raised to Aridhia’s Service Desk Team.
- Data upload and data extraction is only permitted through an approval process.
- All uploads go through a malware scanning process.
- Full audit reporting of events.
The DRE is a managed service, where Aridhia performs the following operations:
- OS patching (scheduled and ad hoc in the event of emergency updates).
- Nightly back-ups of the environment.
- All support teams have separate privileged admin accounts and these require 2FA. All support team actions are logged.
- Regular audits of the privileged accounts.
- All Aridhia employees who have access to the operational environment go through a criminal record check.
- Mandatory security training at inductions and periodic refresher training for all employees.
- All changes to the platform are subject to change control.
- Incident management and CSIRT processes.
- Monthly audit of key ISO27001 controls.
- Quarterly BCP/DR exercises.
- Data is backed up to the Azure region agreed with the Customer, either the local Azure region or a remote region within the same territory, as per Customer’s statutory and legal obligations.
- Backups are tested on a bi-monthly basis to ensure the data is recoverable.
- All environments are monitored, with security, backup failures and capacity alerts being automatically logged with the Operations and Service Desk teams.
- The Aridhia DRE has a Recovery Point Objective of 24 hours and a Recovery Time Objective of 72 hours.
For public and customer requests relating to security or privacy, or if you wish to report a suspected issue or vulnerability, the details of our Service Desk and OSOs can be found below.
Information Security & IT Manager
Chief Operating Officer