Trust, Security & Compliance
SOC 2 TYPE II Audit
LabArchives has received a SOC2 TYPE II audit from an independent third party auditor. This audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. The report shows LabArchives has an established framework for internal controls that facilitates accountability and a commitment to security.
To request access to SOC reports, contact us.
ISO 27001:2013 Audit
LabArchives has has been awarded the International Organization for Standardization (ISO) 27001:2013 certification by Schellman, following an external review of our Information Security Management System (ISMS). In order to achieve ISO 27001 certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. The standard emphasizes the measurement and evaluation of an organization’s Information Security Management System (ISMS).
During the external audit, Schellman assessed the ISMS, which applies to LabArchives ELN operations and support, software development and cloud hosting, and found that we meet or exceed the standard in all areas. The auditor concluded that controls had been put in place to protect information assets against associated risks, and that these controls were being monitored and managed effectively.
To request access to ISO reports, contact us.
Physical Security and Redundancies
- LabArchives primary and disaster recovery systems exist in physically secure and separate data centers that are provided by Amazon Web Services (AWS). Read complete AWS facility details.
- LabArchives customer cloud services are separate from any corporate networks as well as development, accounting, email, support, contact, sales, and marketing systems.
- Any access to production systems is limited to LabArchives staff who require the access for systems maintenance with access via 2FA or better with principle of least privilege in mind.
- LabArchives ELN, Inventory and Scheduler customer data or backups do not leave AWS data centers or their geographical region without the consent of the data owner or site administrator.
- LabArchives ELN, Inventory and Scheduler customer data is owned by the customer and is not accessed, classified, or shared with others without consent.
- All LabArchives ELN and Inventory data, backups and systems reside exclusively in the AWS regions of the United States, Australia or Europe depending on customer preference.
- All Scheduler data, backups and systems reside exclusively in AWS regions in the United States with customer SSO-based authentication routed through LabArchives systems in the United States, Australia, or Europe.
- Any retired or replaced disk storage devices or systems used for customer data are securely destroyed and are not stored, reused, or sold.
- All data is encrypted in transit with fulltime HTTPS over TLS 1.2 with HSTS enabled.
- LabArchives servers are protected by redundant, industry standard firewalls and security devices.
- LabArchives runs intrusion detection and protection systems (IDS/IPS) to analyze and block malicious traffic.
- All network traffic is logged and monitored for any suspicious or unusual activity that impacts security and availability with response by LabArchives staff 24/7/365.
Data and Application Security
- All LabArchives customer data and backups are encrypted at rest with AES-256.
- Bi-hourly backups and/or real-time replicas of data are available in physically redundant locations.
- LabArchives adheres to secure coding practices by design and a strict development and deployment process with separate development, testing and production environments and staff with decades of experience writing secure, data driven web applications.
- LabArchives ELN and Inventory have application security vulnerability scans performed by an independent security firm quarterly.
- Each LabArchives ELN’s data is logically isolated from other notebooks’ data with its own internal database.
- LabArchives supports both a proprietary login option and allows for integration with a customer’s SSO systems via SAML (Shibboleth, Azure, ADFS, Okta, and others).
- For proprietary logins, account passwords are stored in encrypted form with a unique salt token for each password. SSO integrations utilize user authentication data in a customer’s SSO system only.
- LabArchives only stores data provided by its customers and has no control over what types of data they store or its classification. This depends solely on the customers’ policies for LabArchives use.
- LabArchives itself does not store any private user information such as social security numbers, driver’s license numbers, bank information, credit cards, etc. All credit cards are processed and stored by a PCI-compliant vendor.
- All access to LabArchives is logged and application logs are monitored regularly for malicious or unusual traffic.
- Critical server statistics and accessibility details are monitored from multiple locations worldwide continuously.
- LabArchives Systems staff are ready to respond when monitoring thresholds for performance and availability are reached with paging 24/7/365.
- LabArchives has detailed Incident Response, Disaster Recovery and Business Continuity policies and procedures that are reviewed and tested at least annually.
LabArchives Compliance Standards
- LabArchives utilizes Amazon Web Services (AWS) for all its infrastructure needs including networks, firewalls, computing, storage, database, etc. Read all AWS compliance details.
- LabArchives ELN and Corporate Processes have completed SOC2 certification by a qualified accounting firm. Report details can be requested by contacting us.
LabArchives Aligns with Many Other Compliance Standards and Guidelines
- HIPAA (Health Insurance Portability and Accountability Act)
- FERPA (Family Educational Rights and Privacy Act)
- GDPR (General Data Protection Regulation)
- Federal Funding Agency Data Management Policy
- FDA – 21 CFR Part 11(ELN only for page signing/witnessing workflows)
- ADA (Americans with Disabilities Act) ELN only
- Section 508 of the Rehabilitation Act (29 U.S.C. § 794d) ELN only
- Level A and AA of the WAI Web Content Accessibility Guidelines 2.0. ELN only
- NIST 800-171
- Australian Modern Slavery Act 2018
Continuity and Contingency Details
LabArchives has contingency plans in place to ensure operations run smoothly despite the impacts of world-wide shutdowns as recently experienced with the global COVID-19 pandemic. No regional, national or other office restrictions will impact LabArchives’ ability to securely serve its users around the globe. LabArchives is ready to assist as you prepare a response plan for your remote work at your lab, company, institution, or in your lab course. If you need help taking your research or lab course online, we are here to help.
- LabArchives is a cloud service provider and a cloud service consumer.
- LabArchives is a serverless office with all business systems including phones provided by major cloud providers.
- Due to federal, state, and local directives, all LabArchives staff are operating from isolated, remote offices with full access to email, phones and business systems required for their jobs.
- LabArchives has run at 100% process effectiveness through the COVID-19 pandemic and shut-down.
- No LabArchives customer data or backups reside in any corporate offices.
- LabArchives systems, databases, networks and security systems in the United States, Australia and Europe (UK) are running in Amazon Web Services (AWS).
- All services in all regions are running at full power with available capacity to support the anticipated increase in our customer’s needs to provide remote research and learning.
- Business Continuity plans account for extreme situations like an office closure to ensure that our global services remain online, fully functional, and fully supported by staff.
- All business-related travel has been temporarily halted. Business is conducted electronically including via remote, online meetings.
- LabArchives has standards of performance guarantees and verified business continuity with all its major service providers.
To request access to SOC reports (SOC 2 and SOC 3) or ISO reports, please contact us. SOC 2 and ISO access will require a signed NDA and special handling by requesters.