How we protect your data, your participants, and your research.
We host our Pulsar and Prism platforms on Digital Ocean, Inc., a world-renowned cloud-based hosting provider. We operate under a shared responsibility model of security, in which Digital Ocean provides both physical and logical security at the data center, and we are responsible for all user and data security at the application level.
At the database level, all databases are encrypted, with automatically managed backups to ensure rollback and recovery capabilities. All database access is over SSL and all terminal access is keystroke-logged. We fulfill all "data in transit and at rest" qualifications.
All data resides on physical servers located in the US.
Our joint responsibility model complies with the following standards:
A widely recognized and internationally accepted information security standard that specifies security management best practices and comprehensive security controls following ISO 27002 best practices guidance.
Provides additional guidance and implementation advice on information security aspects specific to cloud computing.
Establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with defined privacy principles for public cloud computing environments.
An independent examination of IT General controls and controls around availability, confidentiality, and security of customer data relevant for the financial reporting of customers.
Audited reports from an independent examination of the fairness of presentation and the suitability of the design of controls relevant to security, availability, and confidentiality of customer data.
Public reports of security, availability, integrity, confidentiality, and privacy controls.
All projects are provided a HIPAA-compliant environment at no extra cost. We have a signed BAA with Digital Ocean and will sign a BAA with your institution as needed.
We conduct annual audits of our internal policies to ensure adherence to all relevant HIPAA rules and procedures.
At the application level, we follow best practices to ensure that only authorized personnel have access to application code and data, and that all authorization is granted on a "need to know" basis. We use role-based authorization with the following access levels:
Where applicable, study participants use a web-based interface to interact with the study software. Participants have only user-level access as a normal web consumer.
Secure logins are provided to research staff on an as-needed basis. Staff members can monitor participant enrollment and view de-identified study data.
A minimal number of personnel have access to code and data in order to build, maintain, troubleshoot, and report on the study software.
For all users regardless of authorization level: Strong passwords are required with two-factor authorization. Personnel do not have the ability to inspect or decrypt passwords. Forgotten passwords must be reset by the user. In 2026, we are upgrading our login scheme to OTP codes sent via email or SMS, requiring institution-provided email addresses (.edu) and preventing password vulnerabilities from breaches in other systems.
For studies that utilize text messaging capabilities, we use Twilio, Inc., a text-messaging service based in the US. We strive to avoid any personally identifiable information within any text message.
All communications between our platform and Twilio use TLS 1.2+ secure transmission, with auditable acknowledgement and delivery services.
We're happy to discuss our security practices or provide additional documentation for your IT review.
Got Questions? Schedule a Chat